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Information  Superiority  Information  Superiority  is  the  driver  for  the  creation 
of  the  Global  Information  Grid  (GIG)  as  the  mean  to  provide  connectivity  between  all 
parts  of  shore  establishments,  and  with  all  deployed  forces  at  sea  and  ashore.  The  Navy 
Marine  Corps  Intranet  (NMCI)  is  an  information  technology  (IT)  services  contract  to 
provide  to  provide  secure  universal  access  to  integrated  voice,  video  and  data 
communications;  eliminate  interoperability  problems  and  remove  network  impediments 
to  improve  productivity  and  speed  of  command  to  the  shore-based  components  of  the 
Navy  and  Marine  Corps. 

The  NMCI  contract  is  the  procurement  of  IT  services  based  on  a  commercial 
model  of  Service  Level  Agreements  (SLAs).  Under  this  model,  the  emphasis  is  placed  on 
the  verification,  validation,  and  monitoring  of  the  end-user  services  and  not  on  the 
underlying  infrastructure  of  systems. 

The  research  explores  the  current  implementing  effort  of  NMCI  and  analyzes  the 
way  this  common  network  capability  is  tested  and  monitored.  This  thesis  will  provide  a 
single  source  of  information  for  managers  seeking  to  quickly  understand  the  impact  of 
NMCI  as  an  enterprise  level  asset.  Security  policies  related  to  the  project  are  examined 
and  recommendations  to  improve  this  new  IT  initiative  are  made. 
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EXECUTIVE  SUMMARY 


Network-centric  warfare  (NCW)  established  the  idea  that  networks  are  becoming 
increasingly  necessary  and  important  to  the  modern  military.  Infonnation  Superiority  is 
the  focus  of  the  transfonnational  concepts  outlined  in  Department  of  Defense  Joint 
Vision  2020  and  is  the  driver  for  the  creation  of  the  Global  Information  Grid  (GIG).  In 
order  to  provide  the  operational  environment  necessary  to  promote  information 
superiority,  there  needs  to  be  connectivity  between  ah  parts  of  shore  establishments,  and 
with  ah  deployed  forces  at  sea  and  ashore. 

The  Navy  Marine  Corps  Intranet  (NMCI)  is  an  infonnation  technology  (IT) 
services  contract  to  provide  reliable,  secure,  and  seamless  infonnation  services  to  the 
shore-based  components  of  the  Navy  and  Marine  Corps.  The  NMCI  is  a  critical 
component  of  the  Department  of  the  Navy  (DoN)  vision  of  a  network-centric  force, 
where  a  single  secure,  integrated  network  delivers  ah  voice,  video,  and  data  IT  services  to 
more  than  360,000  seats  in  more  than  300  locations.  Through  the  standardization  of 
hardware  and  software  suites,  and  employment  of  common,  multi-layered  security 
architecture,  the  NMCI  will  greatly  improve  interoperability  and  security  across  the  DoN 
“Enterprise”. 

The  purpose  of  the  analysis  that  follows  was  to  thoroughly  examine  the 
mechanisms  involved  with  monitoring  the  implementation  effort  of  NMCI,  to  include 
testing,  and  evaluate  the  Intranet’s  performance  and  impact  in  relation  to  the  end  user.  A 
brief  introduction  of  the  concepts  related  to  the  contract  along  with  snapshots  to  the 
implementation  numbers  were  provided  in  order  to  demonstrate  that  the  implementation 
effort  still  remain  behind  schedule,  no  mater  of  continuously  adjusting  the  associated 
timeframe.  On  the  other  hand,  NMCI  is  the  foundation  that  will  enable  DoN-wide  web- 
based  processes,  knowledge  management  and  e-business  solutions,  making  the  decision 
to  go  ahead  with  this  IT  initiative  an  obvious  one.  With  NMCI  and  by  adapting  to  the 
new  approach  of  “IT  as  a  utility”,  apart  from  dealing  with  the  “bandwidth-starvation” 
problem,  greater  efficiency  and  effectiveness  in  ah  facets  of  naval  operations  will  be 
gained. 
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The  research  examined  the  current  roughly  200  different  criteria  and 
measurements  as  described  by  the  Contract  Line  Item  Number  (CLINs)  and  SLAs 
used  by  DoN  to  monitor  the  success  of  the  common  network  capability  for  the  whole 
Department  and  concluded  that  even  without  DoN’s  prior  experiences  of  that  type  of  IT 
acquisition  activity,  the  methodology  to  describe  and  frame  the  NMCI  was  the  result  of  a 
sound  approach  towards  a  Service-Level  Agreement  (SLA)  contract  based  on  practices 
already  established  and  followed  by  the  private  sector  businesses,  while  enforcing 
automated  tools  to  monitor  the  related  metrics  facilitates  objective  establishment  of  the 
exact  services  levels. 

The  NMCI  contract  is  relying  on  the  concept  of  SLA  to  ensure  mutual 
government  and  provider  understanding  of  the  services  to  be  provided  and  to  ensure  that 
stakeholders’  and  users’  expectations  are  satisfactorily  defined  and  executed.  However, 
continuous  assessment  and  adjustment  of  the  SLAs  are  necessary  in  this  type  of 
contracting  environment.  The  main  conclusion  is  that  the  DoN  and  EDS  after  the 
completion  of  the  “Operational  Evaluation”  phase  should  establish  the  SLAs  at  a  level 
that  the  NMCI  project  delivers  value  for  both  parties  and  the  DoN  should  continue  to 
receive  IT  support  as  an  “utility”  and  take  advantage  of  the  outsource  idea  in  order  to 
focus  more  on  its  core  missions  while  exploiting  IT  as  a  force  multiplier. 
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I. 


INTRODUCTION 


A.  THE  “GRAND  STRATEGY”  ENVIROMENT 

1.  Department  of  Defense  (DoD)  Strategic  Visions  and  the 
Implementation  of  the  Joint  Task  Force  (JTF)  Concept 

DoD  must  develop  the  ability  to  integrate  combat  organizations  with 
forces  capable  of  responding  rapidly  to  events  that  occur  with  little  or  no 
warning.  These  joint  forces  must  be  scalable  and  task-organized  into 
modular  units  to  allow  the  combatant  commanders  to  draw  on  the 
appropriate  forces  to  deter  or  defeat  an  adversary.  The  forces  must  be 
highly  networked  with  joint  command  and  control,  and  must  be  better  able 
to  integrate  into  combined  operations  than  the  forces  of  today. 

(Abstract  from  the  Quadrennial  Defense  Review  September  2001, 
included  in  the  Year  2003  Secretary’s  of  Defense  Annual  Report  for  the 
President  and  the  Congress,  p.  42) 

The  Fully  Connected  Battlefield  of  the  21st  Century 

Tier 3  -  Mobile  SATCOM  I  Microwave  (Trunk  Links)  , 

Tier  2  -  Mobile  LOS  Network  (Backbone  Subnet  Links)  UAV  "er  "  1,1 

- Tier  1  -  Mobile  Handheld  (Subscriber  Subnet  Links) 


Figure  1:  Joint  Task  Force  (JTF)  Operating  Under  the  Concept  of  Networking 

Transformation  can  be  defined  as  the  process  of  changing  form,  nature  or 
function.  Fashioning  joint  operating  concepts  to  guide  the  conduct  of  joint  operations  and 
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promote  interagency  cooperation  are  DoD  leading  priorities  for  transformation.  For  the 
United  States  (U.S.)  developing  the  kind  of  forces  and  capabilities  that  can  adapt  quickly 
to  new  challenges  and  unexpected  circumstances  requires  changing  the  form  or  structure 
of  the  military  forces  and  the  nature  of  the  military  culture  and  doctrine  supporting  those 
forces;  and  streamlining  war-fighting  functions  to  more  effectively  meet  the  complexities 
of  any  type  of  threat.  The  Joint  Knowledge  Development  and  Distribution  Capability 
(JKDDC)  initiative,  for  example,  is  intended  to  leverage  state-of-the-art  technology  to 
access  knowledge  and  share  information — in  the  form  of  education,  learning,  training, 
and  human  expertise — using  a  networked,  knowledge-based,  joint  architecture  that  is 
interoperable  within  the  various  military  services.  The  main  idea  is: 

To  provide  dynamic,  capabilities-based  training  for  the  Department  of 
Defense  in  support  of  national  security  requirements  across  the  full 
spectrum  of  service,  joint,  interagency,  intergovernmental,  and 
multinational  operations 

Lt  Col  Lyndon  S.  Anderson,  Director  of  Joint  Management  Office  (JMO),  Joint 
Knowledge  Development  and  Distribution  Capability  (JKDDC)  Briefing,  in  the 
Worldwide  Joint  Training  Conference,  USA,  September  2003. 

The  JKDDC  is  intended  to  allow  on-scene  commanders,  first  responders,  and 
others  to  seek  real-time  advice  from  subject-matter  experts  in  the  areas  of  language, 
culture,  science,  strategy,  and  planning  at  various  sites  across  the  globe.  The  objectives  in 
mind  are: 

•  Prepare  forces  for  new  war-fighting  concepts 

•  Continuously  improve  joint  force  readiness 

•  Develop  individuals  and  organizations  that  think  and  act  joint 

•  Develop  individuals  and  organizations  that  improvise  and  adapt  to 
emerging  crises 

•  Achieve  unity  of  effort  from  a  diversity  of  means 

The  focus  of  DoD  now  shifts  into  enabling  joint  operations  -the  ability  of  land, 
sea,  air,  and  space  forces  to  be  combined  under  the  control  of  a  single  combatant 
commander-  and  used  in  ways  that  are  most  appropriate  to  achieving  the  final  objectives. 
Over  the  past  years,  the  individual  military  departments  have  each  proposed  their 

individual  models  of  how  they  would  prefer  to  fight  and  DoD  is  now  seeking  to  integrate 
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these  perspectives  into  an  overarching  concept  for  the  employment  of  the  joint  force.  The 
importance  of  implementing  the  JTF  concept  is  reflected  in  the  priority  list  included  in 
the  2003  Secretary  of  Defense  Annual  Report  to  the  President  and  the  Congress. 


Drive  Innovative 

Joint  Operations 

E>  eve  lop  IV I  o  i*e 
Effective 
Organizations 

Define  and 
Develop 

I  i‘M nsformatio  mil 
Capabilities 

Define  Skills  and 
Competencies  for 
tlie  Future 

. 

Figure  2:  DOD’s  Priorities  for  the  Year  2004,  from  the  Year  2003  Secretary’s  of  Defense 
Annual  Report  for  the  President  and  the  Congress,  p.  65) 


2.  Network-Centric  Warfare  (NCW) 

Network  Centric  Warfare  (NCW)  has  emerged  as  the  key  paradigm  for 
achieving  the  distributed  war-fighting  goals  outlined  in  Department  of  Defense  (DoD) 
Joint  Vision  2020  [Note  1]  and  is  the  driver  for  the  creation  of  the  Global  Information 
Grid  (GIG).  [Note2]  Each  of  the  military  services  under  the  DoD  drafted  “roadmaps” 
laying  out  their  respective  approaches  to  acquiring  the  kinds  of  capabilities  described  as 
leading  the  way  toward  a  transfonned  force.  The  concept  of  NCW  has  become  the  central 
concept  for  organizing  Department  of  the  Navy  (DoN)  efforts  to  change  and  transfonn 
itself.  The  structural  model  for  the  Navy’s  NCW  concept  is  a  high-performance 
information  grid  that  quickly  assimilates  and  shares  battlefield  data  among  Naval  Forces 
worldwide.  NCW  shifts  the  emphasis  from  platform-centered,  attrition-style  operations  to 
a  new  methodology  based  on  enhanced  speed  of  command  and  dynamic,  real-time 
reorganization  of  sensors  and  shooters  to  meet  changing  mission  requirements.  This  new 
model  of  warfare  introduces  the  change  from  relying  solely  on  the  individual  platform 
towards  networking  units  as  the  medium  for  the  conduct  of  Naval  Operations.  (Vice 
Admiral.  Arthur  K.  Cebrowski,  U.S.  Navy  and  John  J.  Garstka,  article  “Network  Centric 
Warfare:  Its  Origins  and  Future”  -Naval  Institute  Proceedings,  1997). 
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Figure  3:  Logical  Model  for  Network-Centric  Warfare,  from  the  Cebrowski  and  Garstka 
article  “Network  Centric  Warfare:  Its  Origins  and  Future  ” 

NCW  focuses  on  using  advanced  information  technology  (IT)  -  computers,  high¬ 
speed  data  links,  and  networking  software  -  to  link  together  ships,  aircraft,  and  shore 
installations  into  highly  integrated  computer/telecommunications  networks.  At  the 
structural  level,  network-centric  warfare  requires  an  operational  architecture  with  three 
critical  elements:  sensor  grids  and  transaction  (or  engagement)  grids  hosted  by  a  high- 
quality  information  backplane.  They  are  supported  by  value-adding  command-and- 
control  processes,  many  of  which  must  be  automated  to  get  required  speed.  Rapid 
information  collection,  analysis,  dissemination,  decision-making,  and  execution  are 
critical  to  achieve  increased  combat  effectiveness.  The  information  grid  will  provide  the 
necessary  backplane  for  computing  and  communications,  by  enabling  the  operational 
architectures  of  sensor  grids  and  engagement  grids.  The  sensor  grid  rapidly  generates 
engagement  quality  awareness,  and  the  engagement  grid  translates  this  awareness  into 
increased  combat  power.  NCW  generates  combat  power  by  the  fusion  of  networking 
sensors,  decision-makers  and  shooters.  There  are  two  complementary  ways  that  this  is 
accomplished: 


•  Network-centric  warfare  allows  participating  forces  to  develop  speed  of 
command. 
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Network-centric  warfare  enables  forces  to  organize  from  the  bottom  up— 
or  to  self-synchronize— to  meet  the  commander's  intent. 


Information  superiority,  obtained  through  NCW,  creates  combat  power  by  fusing 
information  producers  with  information  consumers  at  the  right  time  and  place  across  the 
battlefield.  The  aim  is  to  produce  increased  shared  situational  awareness  and  accelerated 
speed  of  command  with  a  higher  tempo  of  operations,  resulting  in  greater  lethal 
capability  and  increased  survivability  for  the  operational  units. 

3.  The  Visions  of  the  Department  of  the  Navy  (DoN) 

The  speed,  volume,  and  diversity  of  knowledge  required  to  effectively  operating 
within  the  framework  of  joint  military  forces  is  continuously  accelerating.  Projected 
future  operating  environments  strongly  emphasize  the  decisive  advantage  conferred  by 
superior  infonnation  management  and  knowledge  dominance  and  both  will  probably  be 
the  key  to  operational  success  in  the  future.  Near-instantaneous  collection,  analysis,  and 
dissemination  of  information  coupled  to  advanced  computer-driven  decision  aids  aim  to 
unify  the  battle  space  of  the  21st  century. 

Our  vision  and  our  way  ahead  -  Naval  Power  21  and  the  Naval 
Transformation  Roadmap  -  provide  the  framework  to  align,  organize,  and 
integrate  our  Naval  Forces  to  meet  the  wide  array  of  challenges  that  lie 
ahead.  This  will  require  accelerating  operational  concepts  and 
technologies  to  improve  war-fighting  effectiveness  and  enhance  homeland 
defense;  shaping  and  educating  our  force  to  operate  tomorrow's  Fleet; 
sustaining  readiness;  and  harvesting  efficiencies  to  invest  in  the 
transformation  of  our  Navy  and  Marine  Corps. 

Secretary  of  the  Navy,  in  his  2003  Annual  report  for  the  President  and 
Congress 

The  Navy’s  vision  focuses  on  four  fundamental  qualities  of  Naval  Forces  - 
decisiveness,  sustainability,  responsiveness  and  agility.  The  Navy  and  Marine  Corps  have 
defined  their  respective  Service  strategies  in  Sea  Power  21  and  Marine  Corps  Strategy 
21.  Taken  together,  these  visions  begin  to  prescribe  a  strategy  to  concepts  to  capabilities 
technology  continuum  that  will  result  in  greatly  enhanced  power  projection,  protection 
and  joint  operational  freedom.  In  so  doing,  they  provide  the  framework  for  organizing, 
aligning,  integrating  and  transforming  the  fully  networked  naval  forces  to  meet  the 
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challenges  and  risks  that  lie  ahead.  (Secretary  of  the  Navy,  Year  2003  Secretary’s  of 
Defense  Annual  Report  for  the  president  and  Congress,  p.  163) 


Swift  and  effective  use  of  information  will  be  central  to  the  success  of  Sea  Power 
21.  Sea  Strike  will  rely  on  rich  situational  awareness  provided  by  persistent  intelligence, 
surveillance,  and  reconnaissance  to  sense  hostile  capabilities  and  trigger  rapid  and  precise 
attacks.  Sea  Shield  will  use  integrated  infonnation  from  joint  military,  interagency,  and 
coalition  sources  to  identify  and  neutralize  threats  far  from  shores,  locate  and  destroy  any 
type  of  challenge  in  littoral  waters,  and  intercept  missiles  deep  over  land.  Sea  Basing  will 
draw  on  comprehensive  data  to  sustain  critical  functions  afloat,  such  as  joint  command 
and  logistics,  ensuring  operational  effectiveness  and  timely  support.  (Vice  Admiral 
Richard  W.  Mayo  and  Vice  Admiral  John  Nathman,  U.S.  Navy,  article  “FORCEnet: 
Turning  Information  into  Power”-  Naval  Institute  Proceedings,  February  2003). 


SEA  POWER  2  1 


Projecting  Defensive  Assurance 
assure  allies,  deter  adversaries,  sustain  access 

Sea  Shield 


Innovation  to  the  Warfighter... 
rapid  prototyping, 
concept  development, 
coordinated  experimentation 

Preparing  the  Warfighter., 
the  right  skills, 
in  the  right  place, 
at  the  right  time 

Resources  to  the  Warfighter... 
optimum  resource  allocation, 
increased  productivity, 
enhanced  procurement 


Sea  Strike 

Projecting  Offensive  Power... 
responsive,  precise,  and  persistent 


Sea  Basins 

Projecting  Operational  Independence... 
joint  power  from  the  sea 


Figure  4:  The  Navy’s  Vision  for  the  21st  Century,  from  RADM  Mike  Sharp,  U.S.  Navy, 
Vice  Commander  Space  &  Naval  Warfare  Systems  Command  Briefing,  at  the  NMCI  - 
Industry  Symposium,  19  June  2003 


The  Navy  is  turning  visions  and  plans  into  reality  as  it  chooses  which  information 
and  communications  technologies  will  be  integrated,  which  ones  will  be  dropped,  and 
which  will  serve  as  the  foundation  for  its  giant  FORCEnet  architectural  framework. 
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FORCEnet  is  a  massive,  transformational  undertaking  that  will  integrate,  align  and 
enhance  existing  networks,  sensors,  commands,  platforms,  operations  and  weapons 
across  the  entire  Navy.  The  goal  of  the  project,  which  went  through  its  first  major  field 
test  in  late  September  2003,  is  faster,  better  decision-making  for  intelligent,  interoperable, 
network-centric  warfare.  (Cheryl  Gerber,  (MIT  Correspondent),  article:  “Field  Test 
Highlights  FORCEnet  Advances  Military  Information  Technology,  November  2003) 

4.  FORCEnet  within  the  JTF  Concept 

FORCEnet  is  the  enabler  of  Sea  Power  21,  turning  information  into  power.  It  has 
the  aim  to  provide  the  advantage  of  information  superiority  and  increase  responsiveness 
and  survivability  of  participants  involved.  Sharing  information  could  enable  knowledge- 
based  operations,  delivering  greater  power,  protection,  and  operational  independence  than 
ever  before  possible  to  joint  force  commanders. 


Figure  5:  FORCEnet,  the  New  Naval  Operational  Environment,  from  RADM  Mike 
Sharp,  USN  Vice  Commander  Space  &  Naval  Warfare  Systems  Command  Briefing,  at 
the  NMCI  -  Industry  Symposium,  19  June  2003 

FORCEnet  will  be  the  operational  construct  and  architectural  framework  for  naval 
warfare  in  the  information  age  that  integrates  warriors,  sensors,  networks,  command  and 
control,  platforms,  and  weapons  into  a  networked,  distributed  combat  force  that  is 
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scalable  across  all  levels  of  conflict  from  seabed  to  space  and  sea  to  land.  The  goal  of 
FORCEnet  is  to  achieve  superior  knowledge  for  deployed  forces,  leading  to  increased 
combat  power.  A  comprehensive  network  of  sensors,  analysis  tools,  and  decision  aids  to 
support  the  full  array  of  naval  activities,  from  combat  operations  to  logistics  and 
personnel  development  will  be  created.  The  focused,  timely,  and  accurate  data  delivered 
by  this  type  of  network  will  help  decision-making  at  every  level  by  allowing  participants 
to  draw  on  vast  amounts  of  information  and  share  the  resultant  understanding.  This  could 
increase  the  joint  force's  ability  to  synchronize  activities  throughout  the  battle  space  to 
achieve  the  greatest  impact. 

Developing  this  type  of  capability  will  involve  designing  and  implementing  a 
network  architecture  that  includes  standard  joint  protocols,  common  data  packaging, 
seamless  interoperability,  and  strengthened  security.  FORCEnet  spans  across  Navy  and 
United  States  Marines  Corps  (USMC)  mission  areas  and  is  Joint  from  Inception  -  Naval 
unique  implementations  are  only  by  exception.  Some  key  Joint  drivers  towards  the 
Global  Information  Grid  include:  the  bandwidth  expansion,  the  Transformational 
Communications  Architecture  and  the  Defense  Information  System  Network  [Note  3]. 
The  overall  technical  architecture  will  consist  of  commercial  standards  with  DoD 
standards  imposed  only  as  necessary  to  confonn  to  unique  military  requirements. 


Figure  6:  Integration  of  Systems,  Information  and  Decision  Tools  towards  FORCEnet, 
from  RADM  Mike  Sharp,  USN  Vice  Commander  Space  &  Naval  Warfare  Systems 
Command  Briefing,  at  the  NMCI  -  Industry  Symposium,  19  June  2003 
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Priority  actions  will  include:  Web-enabling  the  Navy;  establishing  open 
architecture  systems  and  standards  to  allow  rapid  upgrades  and  integration;  building 
common  data  bases  to  widely  share  information;  implementing  standard  user  interfaces  to 
access  information;  and  establishing  portals  that  allow  users  to  pull  data  from  common 
servers.  (Vice  Admiral  Richard  W.  Mayo,  U.S.  Navy  and  Vice  Admiral  John  Nathman, 
U.S.  Navy,  article  “FORCEnet:  Turning  Information  into  Power”,  Naval  Institute 
Proceedings,  February  2003).  As  a  direct  result,  a  tremendous  effort  to  integrate  systems, 
information  and  services  at  the  inter-service  level  is  necessary  and  will  require  capability 
investments  within  and  across  joint,  interagency  and  international  programs. 

5.  How  the  Navy  Will  Achieve  Information  Superiority 

Information  superiority  will  be  the  key  outcome  of  the  transformational 
concepts  outlined  in  Joint  Vision  2020.  Information  superiority  can  be  defined  as 
providing  our  forces  with  the  capability  to  collect,  process,  and  disseminate  an 
uninterrupted  flow  of  information  while  exploiting  or  denying  an  adversary’s  ability  to  do 
the  same.  In  a  non-combat  situation  this  means  that  our  forces  would  have  the  necessary 
information  to  achieve  their  operational  objectives.  In  order  to  provide  the  operational 
environment  necessary  to  promote  information  superiority,  there  needs  to  be  connectivity 
between  all  parts  of  shore  establishments,  and  with  all  deployed  forces  at  sea  and  ashore. 
This  connectivity  will  enable  an  environment  where  all  members  can  collaborate  freely, 
share  information,  and  organizational  learning  can  be  fostered.  (NMCI  Report  to 
Congress,  30  June  2000,  p.  J-5-1) 

DoN  is  building  the  infrastructure  necessary  to  achieve  information  superiority 
and  support  knowledge  superiority  at  the  same  time.  The  Web-enabled  framework  is 
designed  to  ensure  mobile,  seamless  operations  for  the  business  and  operational  process 
users,  and  provide  support  tools  for  users  to  access  the  services  and  data  from  any 
location.  Ashore,  that  infrastructure  takes  the  form  of  the  Navy-Marine  Corps  Intranet 
(NMCI)  project  that  will  ultimately  connect  all  ashore  Naval  facilities  and  pennit  rapid, 
secure,  information  transfer,  and  universal  Internet  access.  At  sea,  SPAWAR  is  installing 
IT-21  capabilities  on  most  fleet  units  to  bring  the  same  capability  while  afloat.  The 
combination  of  the  two  networks  could  provide  universal  access  and  infonnation  sharing 
across  the  entire  department.  As  web  access  becomes  more  available,  we  will  begin 
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moving  to  a  “Web  enabled  Navy”.  The  Web-enabled  Navy  (WEN)  will  be  a  web-service 
based  layer  riding  on  top  of  existing  C4ISR  architectures  and  infrastructures  including  the 
NMCI,  IT-21,  the  Defense  Information  System  Network  (DISN),  and  commercial 
services.  The  combination  of  these  elements  begins  to  move  the  Navy  rapidly  toward  the 
goal  of  knowledge  superiority  and  integrated  information — the  right  information, 
provided  to  the  right  person  at  the  right  time 
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Figure  7:  Web-enabled  Navy,  from  RADM  Mike  Sharp  USN  Vice  Commander  Space  & 
Naval  Warfare  Systems  Command  Briefing,  at  the  NMCI  -  Industry  Symposium  19  June 
2003 

Navy  and  Marine  Corps  personnel  use  IT  to  support  DoN’s  core  business, 
scientific,  research,  computational  activities,  and  war  fighting  activities.  The  Navy’s 
effort  to  implement  the  transformational  efforts  that  are  promoted  by  the  DoD  involves 
several  simultaneous  IT  procurement  efforts,  as  the  necessary  building  blocks.  (Ronald 
O'Rourke,  Congressional  Research  Service  Report:  Navy  Network-Centric  Warfare 
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Concept:  Key  Programs  and  Issues  for  Congress,  Order  Code  RS20557,  June  6th  of  2001, 
p.  2)  For  units  afloat,  the  Cooperative  Engagement  Capability  (CEC)  program  [Note  4] 
along  with  the  IT-21  investment  strategy  [Note  5]  are  currently  underway,  while  for 
Naval  Installations  ashore  the  Navy-Marine  Corps  Intranet  (NMCI)  is  the  concept 
used  to  make  the  full  range  of  network-based  information  services  available  to  Navy  and 
Marines  operators  for  day-to-day  activities,  along  with  war-fighting  supportive  tasks. 


Figure  8:  Elements  of  FORCEnet  towards  a  Wide  Enterprise  Network  (WEN),  from 
RADM  Mike  Sharp,  USN  Vice  Commander  Space  &  Naval  Warfare  Systems  Command 
Briefing,  at  the  NMCI  -  Industry  Symposium  19  June  2003 

The  Navy-Marine  Corps  Intranet  is  a  corporate-style  intranet  that  will  link 
together  Navy  and  Marine  Corps  shore  installations  in  much  the  same  way  that  the  IT-21 
effort  will  link  together  Navy  ships.  When  completed,  the  NMCI  will  include  a  total  of 
about  360,000  computer  workstations,  or  “seats,”  at  numerous  Naval  and  Marine  Corps 

installations.  The  NMCI  service  area  includes  the  Continental  United  States  (CONUS),  as 
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well  as  Alaska,  Hawaii,  Guantanamo  (Cuba),  Puerto  Rico,  and  Iceland  for  an  estimated 
360,000  Navy  and  Marine  Corps  Uniform  and  civilian  workforce  members  (which 
includes  6,000  USMC  reserve  seats)  in  addition  to  80,000  Navy  Selected  Reserve  force 
members.  Additionally,  DoN  has  reserved  the  right  to  expand  the  NMCI  service  area 
outside  the  continental  US  (OCONUS)  sites,  beyond  those  listed  above.  (NMCI  Contract 
N00024-00-D-6000,  Conformed  Contract  P00080  10/6/2003,  p.  1) 


The  Necessity  of  NMCI 
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Figure  9:  Why  an  Intranet,  from  Rear  Admiral  Chuck  Munns,  Director  of  NMCI,  NMCI 
Progress  Briefing,  at  the  NMCI  -  Industry  Symposium  17  June  2003 

NMCI  is  a  very  important  part  of  the  tremendous  integration  effort  currently 
underway  and  will  contribute  to  the  final  creation  of  FORCEnet  and  the  Global 
Information  Grid  (GIG)  that  are  the  capstone  ideas  under  NCW.  The  purpose  of  NMCI  is 
to  provide  the  Navy  and  Marine  Corps  with  secure  universal  access  to  integrated  voice, 
video  and  data  communications;  eliminate  interoperability  problems;  and  remove 
network  impediments  to  improve  productivity  and  speed  of  command.  The  task  of  the 
NMCI  contract  seems  simple  enough:  Bring  the  Navy  and  Marine  Corps'  disparate 
information  technology  ashore  systems  together  under  a  single  vendor  to  provide  greater 
security  and  interoperability. 
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NMCI  is  the  largest  information  technology  contract  ever  awarded  by  the  United 
States  (U.S.)  Federal  Government,  replacing  hundreds  of  Navy  and  Marines  Corps 
networks  across  the  continental  U.S.  that  were  used  before  the  NMCI  introduction.  The 


initiative  is  not  only  dealing  with  agencies  ashore  but  it  will  provide  pier-side 
connectivity  for  naval  vessels  in  port,  practically  involving  the  total  number  of  the 
Navy’s  workforce  (military  and  civilians)  in  the  NMCI  implementation.  The  magnitude 
of  the  numbers  indicated  that  the  outsourced  option  was  the  best  way  to  go.  In  a  huge 
outsourcing  effort,  Electronic  Data  Systems  Corp.  (EDS)  will  take  over  the  ownership 
and  operation  of  the  Navy  and  Marine  Corps  Information  Technology  (IT)  hardware, 
software  and  other  related  services  and  will  build  and  run  a  Navy  and  Marine  Corp 
Intranet  at  a  lower  cost  than  what  the  DoN  and  Marine  Corps  were  paying  by  purchasing 
and  managing  IT  themselves.  The  contract  coordinator,  Texas  based  EDS,  is  a  global 
leader  in  desktop  and  network  management,  currently  overseeing  more  than  3.3  million 


desktops  for  government  and  commercial  customers  around  the  world,  (www.eds.com 
(Facts  about  EDS)  accessed  February  2004) 

NMCI  -  From  insecure,  disparate  networks  to  one  secure  intranet 
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Figure  10:  NMCI  and  Tactical  Networks  Interface,  from  the  NMCI  -  Industry 
Symposium,  19  June  2003,  FORCEnet-Engineering&  Architecting  the  Navy ’s  IT  Future 
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The  concept  behind  the  NMCI  transformation  effort  is  to  apply  the  speed  and 
opportunities  of  Internet  technology  not  only  in  the  already  under  strong  emphasis  war- 
fighting  tasks,  but  also  in  the  very  daily  activities  of  naval  personnel  and  especially  those 
dealing  with  administrative  and  support  tasks.  Supporting  the  war-fighter  are  logistics, 
administration  and  other  related  operations  or  even  training  functions.  These  activities 
also  rely  heavily  on  IT  to  produce  the  right  type  of  support.  The  goal  of  the  NMCI 
contract  is  to  eliminate  stovepipe  systems  and  modernize  the  way  Navy  does  business. 
DoN  will  have  network  services  as  an  enterprise  level  asset,  with  bandwidth  on  demand, 
making  life  better  for  every  Marine,  Sailor  and  DoN  Civilian.  The  ultimate  aim  is  to 
allow  DoN  operators  to  focus  on  their  mission  rather  than  be  concerned  with  IT  services 
and  all  the  technical  problems  related  with  infrastructures  and  administration  activities. 

Moving  NMCI  from  theory  towards  reality  has  proved  a  challenge,  because  the 
Navy's  information  technology  (IT)  infrastructure  must  be  transfonned  from  one  in  which 
products  are  purchased  piecemeal  (emphasis  into  buying  commercial  off  the  Shelves 
(COTS)  products  by  various  vendors,  without  a  coordinated  plan)  into  a  utility  similar  to 
a  telephone  service  (one  single  vendor,  responsible  for  hardware,  software  and  IT 
services  at  the  same  time).  As  a  result  of  the  importance  of  the  NMCI  initiative,  there  has 
been  a  plethora  of  information  (positive  and  negative)  published.  Almost  every 
government  information  technology  industry  trade  magazine  has  published  the  good  but 
also  the  bad  and  the  ugly  side  of  the  DoN’s  attempts  to  initiate  this  change.  The  NMCI 
initiative  differs  from  a  traditional  DoD  acquisition  program,  where  typically  a  system  is 
purchased  and  the  government  assumes  configuration  control  and  life  cycle  maintenance 
responsibility.  The  NMCI  contract  is  for  the  procurement  of  IT  services  (not  systems) 
based  on  a  commercial  model  of  Service  Level  Agreements  (SLA).  Under  this  model, 
the  emphasis  is  placed  on  the  verification,  validation,  and  monitoring  of  the  end-user 
services  and  not  on  the  underlying  infrastructure  or  systems. 

B.  PURPOSE  AND  BENNEFIT  OF  THE  STUDY 

1.  Performance  Measures  Used 

The  Government  Performance  and  Results  Act  of  1993  (GPRA)  and  the 
Information  Technology  Management  Reform  Act  (ITMRA  also  known  as  Clinger- 
Cohen  act)  mandate  the  use  of  specific  perfonnance  metrics  for  IT  acquisitions.  The 
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Clinger  -  Cohen  Act  requires  the  establishment  of  performance  measures  to  assess  how 

well  NMCI  supports  mission  accomplishment  and  for  accountability  and  evaluation  of 

investment  post-deployment.  Section  5123  of  the  ITMRA,  Performance  and  Results- 

Based  Management,  requires  that  the  head  of  an  executive  agency  shall: 

Ensure  that  performance  measurements  are  prescribed  for  information 
technology  used  by,  or  to  be  acquired  for,  the  executive  agency  and  that 
the  performance  measurements  measure  how  well  the  information 
technology  supports  programs  of  the  executive  agency. 

(www.cit.nih.gov  (Clinger-Cohen  Act  (CCA))  accessed  February  2004) 


The  EDS-NMCI  team  provides  services  to  a  range  of  Navy  and  Marine  Corps  end 
points  or  as  described  in  the  contract,  Service  Delivery  Points  (SDP).  These  SDP  include 
voice,  video  and  data  connection  points  for  end  users,  the  general  NMCI  enterprise,  and 
interfaces  to  other  DoN  and  DoD  communications  environments.  The  specific  services  to 
be  provided  to  the  end  points  vary  but  include  the  IT  services  listed  in  Table  A,  at 
Appendix  A.  When  the  NMCI  contract  was  initially  written,  it  laid  out  more  than  a 


hundred  and  thirty  five  (135)  specific  performance  requirements  in  twenty  (20)  different 
categories.  The  Navy  and  EDS  are  continuously  reviewing  and  adjust  the  SLAs  that  are 


the  basis  of  measuring  the  performance  of  the  NMCI. 
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Figure  1 1 :  Summary  of  CLINs  and  the  Related  Domains,  updated  in  February  2004 
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The  purpose  of  the  analysis  that  follows  will  be  to  briefly  examine  the 
mechanisms  involved  with  monitoring  the  implementation  effort  of  NMCI,  as  well  as 
testing  its  performance,  in  relation  to  the  end  user.  The  research  shall  examine  the  current 
roughly  200  different  criteria  and  measurements  as  described  by  the  Contract  Line  Item 
Number  (CLINs)  and  SLAs  used  by  DoN  to  monitor  the  success  of  the  common 
network  capability  for  the  whole  Department  and  make  recommendations  regarding  the 
tools  and  methods  currently  used  to  test  and  monitor  the  common  network  capability. 

2.  Concept  of  SLAs 

The  NMCI  contract  works  by  setting  out  performance  levels  that  EDS  must  either 
meet  or  beat.  The  Navy  will  pay  EDS  bonuses  if  they  exceed  performance  levels  and 
penalize  them  for  poor  performance.  DoN  will  receive  all  the  connectivity,  customer  help 
services,  repair  services  and  so  on  as  part  of  the  basic  seat  price,  while  the  NMCI  vendor 
maintains  configuration  management  and  asset  management  and  is  expected  to  keep  the 
customer  well  informed  of  changing  service  and  technology  refreshments.  The  NMCI 
contract  is  relying  on  the  concept  of  SLA  to  ensure  mutual  government  and  provider 
understanding  of  the  services  to  be  provided  and  to  ensure  that  stakeholder  and  user 
expectations  are  satisfactorily  defined  and  executed. 


Services-Contract  Model  for 

NMCI 


•  USER 

Customer  Satisfaction 
is  optimized  when 
quality  of  service 
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Figure  12:  Contract  Model  of  NMCI,  from  Captain  Chris  Christopher,  U.S.  Navy,  NMCI 


Briefing  for  the  Joint  Logistics  Council,  USA,  29  March  2001 

16 


Traditionally,  organizations  list  their  IT  requirements  for  procurement,  in  a 
statement  of  work  that  is  included  in  the  request  for  proposals  (RFP).  SLAs  expand 
this  approach  further  by  detailing  the  level  of  service  and  performance  quality  that  the 
organization  expects.  For  this  process  to  work  correctly,  both  the  customer  and  vendor 
must  agree  up  front  about  their  expectations  as  well  as  the  metrics  by  which  quality  will 
be  measured.  The  idea  is  to  ensure  that  the  service  levels  are  measuring  things  that 
actually  matter  and  that  the  project  is  in  line  with  the  organization's  mission.  Legislation 
such  as  the  Clinger-Cohen  Act  of  1996,  which  links  funding  with  agency  performance, 
has  been  one  of  the  main  drivers  behind  adopting  this  different  approach. 

SLA  performance  monitoring  should  be  a  continuous  activity  to  evaluate  and 
maintain  the  desired  level  of  Help  Desk  support,  customer  satisfaction,  system 
performance,  and  resources  stability.  While  many  of  the  services  emphasize  end-to-end 
performance,  from  a  user  perspective,  a  number  of  enterprise  level  services  are  viewed  as 
mission  critical  and  equally  important  to  measure.  Services  covered  by  SLA  fall  into  the 
following  categories: 

•  User  upgrades 

•  End  user  services 

•  Maintenance  and  Help  Desk  services 

•  Communications  services 

•  Systems  services 

•  Information  assurance  services 

•  Seashore  rotation  support 

•  Specific  requirements 

(Navy  Marine  Corps  Intranet  Site  Deployment  Guide  Version  1.2,  07  March 

2003,  p.  41) 

The  thesis  shall  examine  what  is  really  important  to  this  monitoring  methodology 
and  analyze  whether  a  much  smaller  version  of  critical  factors  can  be  used  more 

effectively  or  not.  Potential  impacts  due  to  the  magnitude  of  this  “DoN  wide  level” 
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network  will  also  be  identified,  especially  in  terms  of  Department  of  Defense  (DoD) 
Infonnation  Assurance  (IA)  policies  and  procedures.  The  aim  will  be  to  identify  any 
weak  points  related  with  interoperability  and  security  across  the  DoN  and  make 
appropriate  recommendations  to  be  included  in  future  changes  of  the  SLA’s. 

C.  RESEARCH  QUESTIONS 

This  thesis  shall  explore  the  current  effort  of  implementing  the  NMCI  within  DoN 
and  analyze  the  way  this  common  network  capability  is  tested  and  monitored.  A  snapshot 
to  the  implementation  numbers  of  NMCI  will  be  given  to  conclude  if  the  effort  remains 
within  track  or  not.  Additionally,  the  thesis  will  examine  briefly  the  security  policies 
related  with  the  NMCI  project  and  offer  recommendations  for  improvement  if  possible. 
The  research  will  provide  a  single  source  of  information  for  managers  seeking  to  quickly 
understand  the  factors  influencing  the  end  user  in  embracing  NMCI  in  terms  of 
Information  Assurance  (IA). 

1.  Primary  Research  Question 

Examining  the  way  the  NMCI  implementation  effort  is  progressing.  What  are  the 
key  factors  and  their  impact  on  the  effort  and  detennine  the  current  DoN  capability  to 
successfully  monitor  the  perfonnance  measurements  related  with  the  NMCI. 

2.  Secondary  Research  Questions 

A.  Is  DoN  facing  a  problem  by  using  200  different  criteria  and  why  is 

it  using  this  methodology? 

B.  What  tools  are  currently  available  to  aid  in  the  monitoring  process? 

C.  Brief  examination  of  the  NMCI’s  I A  and  security  policies 

a)  Suggestion  of  possible  solutions  in  order  to  improve 

security  from  INTERNAL  threats. 

D.  SCOPE  AND  RESEARCH  METHOD 

The  basic  documents  supporting  this  case  study  of  the  NMCI  implementation 
effort  will  be  the  officially  updated  NMCI  Contract  N00024-00-D-6000,  (Confonned 
Contract  P00080),  10/6/2003,  along  with  the  Navy  Marine  Corps  Intranet  Site 
Deployment  Guide  Version  1.2,  3/07/2003.  The  Business  Case  Analysis  (BCA)  for 
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NMCI  by  Booz,  Allen  and  Hamilton  Inc.  (Contract  GS-23F-0755H)  will  be  used 
extensively  to  justify  the  reasons  necessary  to  migrate  towards  NMCI  and  describe  the 
impact  of  the  common  network  capability  in  DoN’s  mission.  The  Navy’s  official  website 
related  with  NMCI  (www.nmci.navy.mil)  will  also  be  use  to  provide  details  as  necessary. 
Data  collected  through  literary  research  of  published  articles  and  reports  in  information 
technology  related  journals  and  magazines  will  be  used  to  deliver  the  weak  or  strong 
points  of  NMCI’s  implementation. 

The  research  will  be  principally  qualitative  in  nature  as  it  seeks  to  answer  the 
primary  and  subsidiary  research  questions.  The  purpose  is  to  determine  the  current  status 
of  NMCI’s  implementation  effort  and  deliver  a  list  of  critical  factors  to  enable  DoN  in  the 
determination  of  the  Quality  of  Services  Level  (QoS)  provided  by  the  contractor.  The 
thesis  shall  look  at  the  general  criteria  currently  in  use  and  their  applicability  and  will 
establish  the  general  framework  in  order  to  deliver  recommendations  based  on  data 
collected  through  examination  of  Business  Case  Analysis  (BCA)  for  the  Navy  Marine 
Corps  Intranet,  as  well  as  the  NMCI  reports  to  the  Congressional  Committees. 

E.  ORGANIZATION  OF  THESIS 

The  methodology  used  in  this  thesis  research  will  consist  of  the  following: 

1.  Examine  the  NMCI  contracting  environment  to  include  the  methodology 
and  techniques  for  testing  and  the  monitoring  criteria  used  by  the  contractor. 

2.  Conduct  a  literature  search  of  applicable  reports,  journal  and  newspaper 
articles  as  well  as  other  information  sources  to  determine  various  issues  associated  with 
the  NMCI  implementation  efforts  and  their  impact. 

a.  The  time  associated  with  the  conduct  of  the  research  indicated  that 
the  early  years  of  the  contract  up  to  the  year  2003  should  be  examined  in  the  background 
section  of  the  thesis.  Developments  in  the  year  2003  and  later  are  covered  in  the  data 
collection  section. 

3.  Determine  the  impact  of  NMCI  on  end  users,  in  terms  of  IA. 

4.  Analyze  the  criteria  used  to  evaluate  NMCI’s  performance. 

5.  Make  recommendations  based  upon  research  and  analysis. 
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F.  ENDNOTES 

1.  Joint  Vision  2020,  released  May  30  2000  and  signed  by  the  chairman  of 
the  Joint  Chiefs  of  Staff,  Army  Gen.  Henry  Shelton,  extends  the  concepts  laid  out  in  Joint 
Vision  2010.  "Full-spectrum  dominance"  is  the  key  term  in  "Joint  Vision  2020,"  the 
blueprint  DoD  will  follow  in  the  future.  While  full-spectrum  dominance  is  the  goal,  the 
way  to  get  there  is  to  "invest  in  and  develop  new  military  capabilities."  The  four 
capabilities  at  the  heart  of  full-spectrum  dominance  are:  dominate  maneuver,  precision 
engagement,  focused  logistics  and  full-dimensional  protection.  (Jim  Garamone 
(American  Forces  Press  Service),  article  “Joint  Vision  2020  Emphasizes  Full-spectrum 
Dominance” ,  (www.defenselink.mil  (Joint  Vision  2020),  accessed  January  2004) 

2.  The  DoD’s  building  blocks  of  this  information  grid  consist  of  more  than  3 
million  individual  computers  on  12,000  local  area  networks  (LANs).  These 
interconnected  classified  and  unclassified  computers  and  LANs  fonn  the  Global 
Information  Grid  (GIG),  which  supports  combatant  commanders,  fixed  installations  and 
deployed  forces  around  the  world.  The  GIG  supports  every  component  of  the  DoD, 
including  war-fighters,  policymakers  and  business  processes.  (Major  General  J.  David 
Bryan  (Vice  Director  of  Defense  Information  Systems  Agency),  article  “IA:  Holistic 
View,  Targeted  Response”,  Military  Information  Technology,  September  2003)  The  GIG 
relies  on  commercial  technology  to  tackle  information  security  challenges. 

3.  The  Unclassified  But  Sensitive  Internet  Protocol  Router  Network,  or 

“NIPRNet”  and  the  Secret  Internet  Protocol  Router  Network,  or  “SIPRNet”  comprises 

the  Defense  Information  System  Agency’s  Defense  Information  Systems  Network 

(DISN).  The  essentiality  of  these  networks  has  developed  over  time,  and  has  been 

accelerated  by  the  increasing  dependence  of  the  Department  of  Defense  on  the  Internet  as 

a  common  business  process  infrastructure.  Taken  together,  these  two  data  networks 

provide  the  essential  information  necessary  to  conduct  and  support  the  full  range  of 

military  operations.  Both  the  NIPRNet  and  the  SIPRNet  are  Wide  Area  Networks 

(WAN),  consisting  of  routers,  modems,  encryption  devices  and  other  ancillary  equipment 

interconnected  by  high  capacity  data  links  and  distributed  throughout  the  world.  In 

addition,  these  networks  will  continue  to  grow  in  importance  to  the  Department  of 

Defense  as  “Community  of  Interest”  networks  are  developed  and  fielded.  These  Service- 
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specific  networks  will  be  using  the  NIPRNet  and  SIPRNet  as  the  common  data  transport 
infrastructure.  The  largest  of  these  networks  at  the  moment  is  the  Navy  and  Marine 
Corps  Intranet  (NMCI).  (Major  General  David  Bryan,  Vice  Director  of  the  Defense 
Information  Systems  Agency  and  the  Commander  of  the  Joint  Task  Force  Computer 
Network  Operations,  Testimony  to  the  Congressional  subcommittee  on  the  Department  of 
Defense  responsibility  for  the  protection  of  its  computer  networks  from  cyber  attack,  17 
May  2001) 

4.  The  Cooperative  Engagement  Capability  (CEC)  system  is  intended  to 
provide  the  capability  for  a  warship  to  cooperatively  engage  targets  by  using  data  from 
other  CEC-equipped  ships,  aircrafts  and  land  target  sensors,  even  in  a  jamming 
environment.  The  CEC  system  links  U.S.  Navy  ships  and  aircraft  operating  in  a  particular 
area  into  a  single,  integrated  air-defense  network  in  which  radar  data  collected  by  each 
platform  is  transmitted  on  a  real-time  basis  to  the  other  units  in  the  network.  The  system 
works  in  conjunction  with  individual  ship,  aircraft  and  shore  systems  and  it  also  provides 
a  common,  consistent  highly  accurate  air  picture,  allowing  for  battle  group  defense  as  one 
integrated  system,  by  networking  assets  together.  (COTS  Journal,  Interview  of  [U.S.] 
Captain  Dan  Busch,  Cooperative  Engagement  Capability,  August  2001) 

5.  IT-21,  which  stands  for  IT  for  the  21st  Century,  is  the  Navy’s  investment 
strategy  for  procuring  the  desktop  computers,  data  links,  and  networking  software  needed 
to  establish  an  intranet  for  transmitting  tactical  and  administrative  data  within  and 
between  Navy  ships.  The  IT-21  network  will  be  built  around  commercial,  off-the-shelf 
(COTS)  desktop  computers  and  networking  software.  (Ronald  O’Rourke,  Congressional 
Research  Service  Report:  Navy  Network-Centric  Warfare  Concept:  Key  Programs  and 
Issues  for  Congress,  Order  Code  RS20557,  6  June  2001,  p.  4) 
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II.  BACKGROUND 


A.  OVERVIEW  OF  THE  NMCI  CONTRACT 

1.  Historical  Data  and  Modifications  of  the  Contract  Until  the  Year  2003 

NMCI  is  an  IT  initiative  and  procurement  strategy  to  provide  secure,  seamless, 
global  end-to-end  connectivity  for  Naval  war-fighting  tasks  and  enhance  business 
functionality.  Ensuring  that  this  intranet  is  interoperable  within  the  Global  Information 
Grid  (GIG),  it  will  interface  with  other  joint  forces’  systems.  Through  the  NMCI 
program,  the  United  States  Navy  (USN)  and  United  States  Marine  Corps  (USMC)  aim  to 
procure  IT  services  through  a  commercial  seat  management  contract,  with  the  intend  to 
deliver  comprehensive,  end-to-end  information  services  via  a  common  computing  and 
communications  environment.  The  DoN  conducted  an  informal  analysis  of  alternatives  in 
the  spring  of  1999  and  determined  that  commercially  contracted  seat  management 
represented  the  best  option  to  efficiently  satisfy  current  and  future  DoN  IT  support 
requirements.  (Booz,  Allen  and  Hamilton,  Business  Case  Analysis  (BCA)  for  NMCI, 
(Contract  GS-23F-0755H),  6/30/2000,  p.  1) 
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Figure  13:  The  Evolution  of  NMCI  towards  Reality,  by  Joseph  Cipriano,  PEO  for  IT, 
from  his  NMCI  briefing  at  the  Anned  Forces  Communications  and  Electronics 
Association,  San  Diego-USA,  16  February  2000 
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However,  it  is  necessary  to  note  that  the  initial  estimates  for  implementation  from 
the  Navy  and  the  views  expressed  by  the  potential  contractors  were  quite  optimistic. 
Taking  into  account  the  technical  complexity,  the  magnitude  of  the  effort  and  the  fact  that 
both  parties  were  moving  into  “uncharted  waters”  with  standards  and  specifications  in  a 
continuous  flux,  there  were  delays  occurring  during  the  negotiations  even  as  early  as  the 
establishment  of  business  proposals  phase.  The  incremental  realization  of  the  technical 
obstacles  necessary  to  overcome  by  every  participant  in  the  NMCI  effort  indicated  that 
more  time  was  needed.  However,  the  significant  importance  of  the  need  to  create  uniform 
standards  and  applications  for  the  DoN  enterprise  pointed  towards  moving  ahead  no 


matter  the  adjustments  necessary.  Finally,  the  contract  was  awarded  to  Electronic  Data 
Systems  Corp.  (EDS)  on  the  6th  of  October  2000,  for  a  total  of  $6.9  billion  and  duration 
of  five  years  plus  three  optional  years  at  the  Department  of  the  Navy  (DoN)  discretion. 
The  final  bid  was  about  $3  billion  less  than  the  three  other  bidders — Computer  Sciences 
Corp.,  IBM  Corp.  and  General  Dynamics  Corp.  NMCI’s  transformation  effort  aims  to 
bring  together  the  vast  majority  of  DoN  personnel;  military,  government  civilians  and 


contractors  into  a  single  integrated  IT  environment. 
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Figure  14:  Revised  NMCI  Contract  Timetable  (Year  2001),  by  Captain  Chris  Christopher 


from  his  NMCI  Briefing  for  the  Joint  Logistics  Council,  USA,  29  March  2001 
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This  adjustment  in  the  time-schedule  involved  with  the  NMCI  implementation 
was  only  the  first  of  the  many  to  come.  Much  was  at  stake  for  EDS  and  the  Navy  in  the 
NMCI  program.  For  the  Navy,  NMCI  offered  the  opportunity  to  fundamentally  redesign 
and  modernize  its  day-to-day  operations  by  replacing  an  unplanned  hodgepodge  of 
standalone  PCs  and  multiple  local  area  networks  that  grew  up  over  decades  and  do  not 
communicate  with  each  other.  Additionally,  as  the  largest  federal  infonnation  technology 
project  ever  attempted,  the  pressure  on  the  project  was  intense:  Many  within  the  military 
and  intelligence  establishments  were  closely  watching  the  effort  because  of  President 
Bush’s  mandate  to  improve  internal  communications  for  homeland  security.  For  EDS,  the 
project  represented  a  large  chunk  of  business  and  also  provides  the  company  with  a  high- 
profile  platform  to  demonstrate  its  capabilities  to  other  military  and  civilian  agencies 
contemplating  similar  seat  management  projects.  Needless  to  say,  the  NMCI  contract 
represented  (and  still  is)  the  “Crown  Jewel”  in  the  extremely  competitive  IT  services 
market. 

Implementing  NMCI  globally  across  an  organization  as  large  as  the  Navy  and 
Marine  Corps  requires  cultural  change,  this,  does  not  come  without  some  degree  of 
anxiety  and  after  overcoming  a  variety  of  obstacles.  Additionally,  Congress  has  been 
skeptical  about  the  cost  benefit  of  the  project  ever  since  it  was  proposed.  The  Navy  was 
originally  set  to  announce  the  contract  award  in  May  2000,  but  it  was  delayed  for  more 
than  four  months  after  Congress  raised  objections.  The  main  concerns  were  the  amount  of 
money  involved  and  institutional  resistance  towards  change  within  the  services.  From  the 
early  steps  of  the  NMCI  implementation,  the  multi  billion  dollars  project  had  turned  into 
a  major  technology  headache  for  the  USN/USMC  and  EDS. 

The  project  already  was  a  year  behind  schedule,  and  many  in  Congress  were 

concerned  it  would  not  stay  within  its  authorized  budget.  Members  of  the  Armed  Services 

committees  in  the  House  of  Representatives  and  the  Senate  began  asking  tough  questions 

related  with  NMCI.  They  wanted  to  know  in  every  detail  how  much  money  the  Navy  was 

already  spending  on  desktop  IT  products  and  services,  how  it  would  pay  for  NMCI,  what 

the  project  exact  schedule  would  be,  and  how  it  would  impact  the  Navy’s  civilian 

employees  and  small  business  partners.  Disagreement  between  the  Navy  and  the 

Pentagon  about  the  level  of  testing  required  for  NMCI  delayed  the  project  and  raised 
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even  more  concerns  within  Congress.  The  Navy  advocated  commercial  testing 
procedures;  the  Pentagon  wanted  more  stringent  testing  measures  such  as  those  applied  to 
weapons  systems.  Among  the  problems,  the  Navy  discovered  that  instead  of  a  few 
thousand  software  applications,  its  systems  actually  housed  a  staggering  100,000. 
Hundreds  of  old  applications  could  not  be  moved  to  the  new  system,  meaning  that 
hundreds  of  workers  were  forced  to  have  two  computers  on  their  desks.  The  large  number 
of  old  applications  uncovered  another  set  of  problems:  Some  programs  could  not  be 
merged  into  the  new  system.  They  were  either  too  antiquated  to  be  compatible  with  the 
standard  NMCI  operating  system  (Microsoft  Windows  2000),  or  it  was  not  even  possible 
to  determine  their  level  of  compliance  with  the  new  security  requirements  of  NMCI. 

A  compromise  was  reached  and  incorporated  into  the  Defense  authorization  bill, 

S.  1438,  which  passed  the  Senate  on  the  13th  of  December  2001  and  allowed  the  Navy  to 
order  additional  seats  under  NMCI  after  specific  testing  and  performance  milestones 
were  reached.  This  event-driven  implementation  of  NMCI  was  introduced  to  ensure  that 
the  program  would  be  fully  tested  and  proven  through  its  introduction  into  Navy  and 
Marine  field  units.  (Gail  Repsher  Emery,  article:  “After  slow  start,  Congress  learning  to 
like  NMCI”,  Washington  Technology  magazine,  February  2002)  The  incompatible 
applications  had  been  “quarantined”  in  separate  terminals,  meaning  that  for  a  specific 
timeframe  some  employees  have  two  computers;  one  handling  the  new  system's  traffic 
and  another  with  the  old  programs,  but  they  were  able  to  continue  with  their  nonnal 
business.  As  for  the  legacy  applications,  the  Navy  adopted  an  approach  called  “ruthless 
rationalization,”  the  objective  of  which  was  to  eliminate  all  unnecessary  applications  and 
reduce  the  number  in  place  to  fewer  than  10,000;  the  goal  was  1,000.  With  most  of  the 
initial  misgivings  resolved  and  better  communication  between  Congress  and  the  Navy, 
lawmakers  approved  $582  million  for  NMCI  in  the  2002  Defense  Authorization  Act. 

But  the  legislation  also  established  milestones  and  conditions  including  rigorous 
testing,  that  the  high-profile  program  should  satisfy  in  order  to  win  funding  during  the 
next  budget  cycle.  The  bill  also  required  the  Navy  Secretary  to  report  to  Congress  on  the 
testing  and  implementation  of  NMCI,  when  the  Navy  would  order  more  seats,  and  also 
when  EDS  would  assume  responsibility  for  more  seats,  according  to  the  proposed 


26 


schedule  laid  out.  Additionally,  it  required  the  Navy  to  appoint  a  manager  for  NMCI 
whose  sole  responsibility  was  to  oversee  and  direct  the  program. 

In  the  period  between  March  to  May  2002,  an  independent  third  party, 
Management  Systems  Designers,  Inc.  (MSD)  announced  the  NMCI  Contractor’s  Test  and 
Evaluation  (CTE)  phases  2  &  3  were  completed  successfully,  at  the  first  NMCI 
operational  sites  at  Naval  Air  Station  Patuxent  River,  Maryland;  Naval  Air  Facility, 
Washington,  DC;  Naval  Air  Station  Lemoore,  California;  and  network  operating  centers 
at  Norfolk,  Virginia  and  San  Diego,  California,  therefore  removing  the  legislative  barriers 
and  making  way  for  additional  “seats”  to  be  ordered  .[Note  1]  The  NMCI  system  also 
passed  a  test  according  to  the  DoD  established  framework  and  guidance,  in  May  2002, 
verifying  that  it  was  working  properly.  Under  an  agreement  between  Pentagon  and  Navy 
officials,  the  Navy  was  permitted  to  roll  out  about  60,000  seats  as  a  test  of  the  feasibility 
of  the  project.  John  Stenbit,  CIO  at  the  U.S.  Department  of  Defense,  approved  on  May  3 
the  continued  rollout  of  the  NMCI  after  EDS  successfully  passed  initial  tests  conducted 
on  the  pilot  seats  that  were  already  in  place.  Achievement  of  “Milestone  One”  allowed 
DoN  to  order  an  additional  100,000  seats.  However,  Navy  officials  and  outside  experts 
acknowledged  that  the  program  still  faced  significant  challenges,  particularly  in  the  areas 
of  change  management  and  legacy  system  integration. 

DoN  officially  turned  up  the  heat  on  EDS  on  August  2002,  when  it  began 
monitoring  the  service  users  were  receiving  through  NMCI.  Those  service-level 
agreements  kicked  in  on  the  9th  of  August,  when  NMCI  passed  the  20,000-user  mark. 
Under  a  September  2001  agreement  with  Pentagon  officials,  EDS  and  the  Navy  had  to 
review  the  service  levels  for  a  month  and  conduct  an  “operational  assessment”  that  shows 
that  the  data  monitored  by  the  enterprise  management  system  is  accurate.  In  the  same 
month,  the  NMCI  team  reached  another  critical  milestone,  with  the  Pentagon  giving  the 
Navy  the  go-ahead  to  connect  about  40,000  users  working  on  the  Defense  Department's 
classified  network,  SIPRNET.  More  specifically,  SIPRNET  is  DoD's  classified  network 
that  military  personnel  use  for  accessing  classified  applications  and  databases  and  for 
secure  messaging.  Although  it  uses  common  Internet  Protocol  (IP)  standards,  it  is 
physically  and  logically  separated  from  all  other  computer  systems,  because  it  is  using 


dedicated  encrypted  lines  for  transmission. 

27 


With  the  pace  of  the  program  accelerating,  DoN  and  EDS  decided  to  “tighten”  the 
service-level  agreements  that  are  the  basis  of  measuring  the  perfonnance  of  NMCI. 
(Christopher  J.  Dorobek,  article:  “Navy,  EDS  to  refine  performance  metrics”- Federal 
Computer  Week,  September  2002)  Such  tinkering  should  be  a  normal  part  of  a 
performance-based  IT  contract  and  the  operation  of  the  enterprise  management  system, 
monitoring  the  SLAs  was  one  of  the  questions  at  the  heart  of  NMCI’s  next  milestone.  The 
Pentagon  had  already  asked  DoN  to  demonstrate  the  capability  of  accurately  monitoring 
service  levels  across  the  whole  available  network.  Additionally,  the  Defense  Operational 
Test  and  Evaluation  division  completed  its  independent  assessment  and  testing  of  NMCI 
on  the  4th  of  October,  which  would  provide  the  data  for  the  project's  next  significant 
milestone,  demonstration  of  the  contractor’s  with  the  established  SLAs.  Those  tests 
showed  mixed  results,  but  the  overall  consensus  of  those  involved  with  the  management 
of  the  NMCI  initiative  was  that  the  newly  built  system  had  all  the  potentials  to  achieve  its 
specified  goals.  On  the  positive  side,  the  same  evaluation  concluded  that  NMCI’s  external 
security  met  SLA  goals.  Internal  security  needed  improvement  in  password  and 
configuration  management,  but  the  Common  Access  Card  Public  Key  Infrastructure 
cryptographic  login  should  provide  additional  security  when  implemented. 

Some  of  those  problems  discovered  in  the  testing  included: 

•  Reach-back  to  legacy  e-mail  was  slow. 

•  Help-desk  performance  was  below  service  level  goals 

•  Performance  at  the  workstation  level  was  inconsistent. 

•  Configuration  management,  incident  and  problem  management  processes 
were  immature.  (Matthew  French,  article:  “NMCI  Testing  shows  mixed 
results  Federal  Computer  Week,  December  2002) 

We  are  now  in  Part  Two  of  the  process,  and  that  is  to  brief  those  who  need 
to  be  briefed  [to  receive  approval]  to  go  beyond  that  60,000-seat  cutover 
and  ensure  the  service  level  agreements  to  go  to  an  order  beyond  160,000 
seats 

Rear  Admiral  Charles  Munns,  U.S.  Navy,  NMCI  director,  from  the 
Mathew  French  article 
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The  contract  model  has  always  called  for  the  firm  to  invest  money  upfront  and 
make  a  profit  later.  Deploying  the  equipment  and  manpower  has  been  costly  for  EDS. 
After  already  investing  $650  million  to  $800  million  in  the  Navy  intranet,  it  discovered 
that  it  would  take  longer  than  expected  to  turn  a  profit.  Given  its  weak  financial  position, 
reaching  profitability  was  increasingly  important.  Nevertheless,  the  Navy  asked  Congress 
to  extend  the  contract  for  two  more  years,  which  would  make  up  for  delays  and  allow 
EDS  to  recoup  its  costs.  The  contract  received  a  significant  modification  in  the  30th  of 
October  2002.  EDS  Corp.  was  awarded  a  $1,916,000,000  modification  to  the  previously 
contract  (N00024-00-D-6000)  for  an  extension  to  add  two  years  to  the  basic  contract 
period,  (www.defenselink.mil  (POD  News:  Contracts  for  October  30,  2002)  accessed 
February  2004)  The  final  modification  of  the  contract  has  resulted  into  a  base  period  of 
seven  (7)  program  years  and  maintains  the  option  for  an  additional  three  (3)  program 
years. 

2.  Establishment  of  SLAs 

NMCI  represents  more  than  just  the  harmonizing  of  hundreds  of  separate  systems 
within  ashore  installations.  DoN  is  adopting  an  approach  that  has  already  been  extremely 
successful  for  industry,  by  purchasing  IT  services  that  include  hardware,  software, 
maintenance  and  training.  While  many  commercial  organizations  in  the  past  have 
employed  service  level  agreements  (SLAs)  for  information  technology  acquisition  and 
maintenance,  the  NMCI  represents  one  of  the  few  instances  where  a  government  agency 
has  adopted  this  approach,  therefore  pioneering  the  way.  The  heart  of  every  performance- 
based  contract  is  the  SLA  that  defines  satisfactory  performance,  computes  payment,  and 
measures  success.  The  first  and  most  important  step  in  a  perfonnance-based  contract  is 
selecting  and  specifying  achievable  performance  levels. 

To  ensure  that  the  Navy  and  Marine  Corps  had  adequate  opportunity  to  outline 
their  requirements  and  expectations,  representatives  from  the  various  stakeholder  groups 
contributed  input  from  the  early  inception  of  the  project,  to  include  feedback  from  the 
end  user  team.  They  met  on  a  regular  basis  to  determine  necessary  features,  the  value  of 
each  feature  to  a  specific  group  and  DoN  in  general,  affordable  and  acceptable  costs, 
appropriate  incentives  for  vendors  that  were  all  included  in  the  SLAs  and  the  RFP  for  the 
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NMCI  contract.  Service  Level  Agreement  (SLA)  is  a  specifically  defined  level  of 
performance  required  by  the  NMCI  contract. 


Enter, 


Marine  Corps 

■in\ 


Evolution  of  the  NMCI 
Acquisition  Approach 


Meetings 
f/Claimants 
&  Industry 


Nominal 
soo  SLA 


RFP 


Requirements  Chain 


Providers  industry  users  Industry  analysis 

Industry  feedback  comments/questions 


figure  15:  The  DoN’s  Approach  to  Determine  the  SLA’s  Related  with  NMCI  (via 
interaction  with  the  potential  providers  and  end-users),  by  Captain  Chris  Christopher 
from  his  NMCI  Briefing  for  the  Joint  Logistics  Council,  USA,  29  March  2001 


The  NMCI  contract  includes  a  total  of  thirty-seven  (37)  SLA’s  and  establishes 
financial  penalties  if  the  contractor  fails  to  meet  them.  This  utility-like  costing  and  billing 
style  associated  with  NMCI  is  expected  to  result  in  numerous  benefits  like  lower  overall 
costs,  faster  IT  acquisition  cycles  and  easier  integration  of  new  personnel  into  a 
command.  It  is  a  common  standard  within  industry  that  service  level  performance  should 
be  based,  in  part,  on  end-user  satisfaction  and  that  the  specific  level  of  satisfaction  should 
be  measured  by  a  third  party  that  is  independent  of  both  the  Navy  and  EDS.  As  a  result, 
there  are  incentives  included  within  the  contract  to  motivate  superior  contractor’s 
support.  EDS  could  earn  hundreds  of  millions  of  dollars  if  it  meets  certain  specific 
standards.  (Matthew  French,  article:  Survey  says...  NMCI  users  satisfied.  Federal 
Computer  Week,  24  March  2003).  These  incentives  are: 
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A  one-time  $10  million  payment  when  all  360,000  seats  have  been 
transitioned  to  NMCI. 


•  Up  to  $  1 .25  million  per  year  for  using  small  and  disadvantaged  businesses 
as  subcontractors. 

•  Up  to  $144  million  per  year  for  meeting  customer  satisfaction  goals  — 
based  on  earning  $25  per  seat  per  quarter  if  customer  satisfaction  levels 
are  at  85  percent,  $50  per  seat  per  quarter  for  90  percent  customer 
satisfaction  or  $100  per  seat  per  quarter  for  95  percent  customer 
satisfaction. 

•  Up  to  $10  million  per  year  for  information  assurance  if  NMCI  performs 
well  in  unannounced  "information  warfare"  tests  of  the  network's  security 
and  survivability. 

Each  SLA  is  quite  extensive  in  details  and  includes: 

•  Service  Name 

•  Service  Description 

•  Service  Delivery  Points 

•  Performance  Categories 

•  Performance  Measurement  Requirements 

•  Performance  Requirements 

•  Equivalent  Level  of  Service 

o  Level  of  Service  1  -  Basic 

o  Level  of  Service  2  -  High  End 

o  Level  of  Service  3  -  Mission  Critical 

In  the  following  Table  (Table  1)  the  analytical  description  of  the  randomly 
selected  SLA  2  is  presented,  in  order  to  provide  an  example  of  the  final  level  of  details 
included  within  the  contract,  while  Table  B  at  Appendix  B  provides  the  analytical 
description  of  the  monitoring  perfonnance  criteria  involved  with  the  NMCI,  along  with 

the  methodology  used  to  detennine  variations  from  the  optimal  level  of  service. 

31 


Service  Name:  Standard  Office  Automation  Software  SLA:  2 

Service  Description:  Vendor  provided  standard  desktop  integrated  software  suite.  It  includes  word 
processing,  spreadsheet,  presentation  graphics,  and  database.  These  packages  must  interoperate 
across  DON  and  within  the  Department  of  Defense. 

Applicable  Service  Delivery  Points:  Fixed  and  Portable  (Basic,  High  End,  Mission  Critical) 
Workstation.  Embarkable  Workstation.  Embarkable  Portable  (Government  and  Contractor  provided), 
Hybrid  Seat 

Levels  of  Services:  3:  (Basic,  High  End,  Mission  Critical) 

Performance  Category  1:  Installation  Accuracy 

Performance  Measure  Description:  Percentage  of  office  automation  software  installations/upgrades 
successful  on  first  use.  Formula  is:  (#  of  office  automation  software  installation/upgrades  in  month  -  # 
of  'failed/improper'  installation/upgrades)  /#  of  installation/upgrades  in  month.  The  failed  number 
includes  incorrect  software  version,  improper  configuration,  failure  to  install/upgrade  in  designed  time- 
window,  etc,  that  are  reported  within  72  hours  of  completion  of  the  seat  installation  checklist  by  the 

ISF  technician  and  acceptance  by  a  Government  user.  It  excludes  any  network  related  failures  if 
software  loading  performed  from  a  central  source.  The  measurement  is  an  aggregate  and  average  by 
site  of  the  installation  accuracy  by  similar  seats  as  determined  by  trouble  tickets  at  the  Help  Desk. 

The  software  is  assumed  to  be  installed  properly  unless  the  NMCI  end  user  notifies  the  Help  Desk 
informing  of  a  failure..  If  no  installations/upgrades  occur  during  a  reporting  period,  the  value  will  be 
reported  as  “N/A". 

Who:  Contractor 

Frequency:  Monthly 

Where:  NMCI-wide 

How  measured:  Vendor  includes  all  events  of 
failed  installation/upgrades  in  monthly  reports  to 
the  Government.  It  includes  date,  software 
package  and  user/PC  ID  for  which  it  failed.  The 
'failed  installation/upgrade'  data  will  be  audited  by 
the  Government  or  a  designated  third  party. 

B  Value 

Pre-Negotiation 

Contract  SLA 

Level  of  Service  (1) 

0.995 

0.995 

0.995 

Level  of  Service  (2) 

0.995 

0.995 

0.995 

Level  of  Service  (3) 

0.995 

0.995 

0.995 

Performance  Category  2:  Software  Currency 

Performance  Measure  Description:  Office  automati 
OA  software  standard  across  the  enterprise.  The  n 
a  current  NMCI  software  version  falls  2  versions  be 
then  the  contractor  must  upgrade  the  enterprise  to 
release  of  the  new  version,  unless  the  Government 
NMCI  software  version  has  been  implemented  for  c 
is  available,  the  contractor  will  upgrade  to  the  lates 
anniversary,  unless  the  Government  determines  ot 

on  software  currency  relative  to  industry  standards, 
netric  values  listed  are  qualified  as  follows:  where 
hind  the  latest  commercially  available  release, 
the  newest  release  within  three  months  of  the 
determines  otherwise.  In  the  case  where  current 
jreater  than  one  year,  and  a  more  current  version 
version  within  3  months  following  the  one  year 
lerwise. 

Who:  Government  team 

Frequency:  Quarterly 

Where:  Enterprise  level 

How  measured:  Analysis  of  NMCINMCI  standard 
office  automation  software  compared  to  state-of- 
the  shelf  office  automation  software,  as 
determined  by  Contractor/Government 
configuration  control  board. 

B  Value 

Pre-Negotiation 

Contract  SLA 

Level  of  Service  (1) 

<=  lyr  or  2  versions 

<=  lyr  and/or  2  versions 

<=  lyr  and/or  2  versions 

Level  of  Service  (2) 

<=  lyr  or  2  versions 

<=  lyr  and/or  2  versions 

<=  lyr  and/or  2  versions 

Level  of  Service  (3) 

<=  lyr  or  2  versions 

<=  lyr  and/or  2  versions 

<=  lyr  and/or  2  versions 
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Performance  Category  3:  Interoperability 

Performance  Measure  Description:  For  Standard  Office  Automation  Software,  the  interoperability 
requirement  is  to  provide  users  with  the  ability  to  exchange  information  using  standard  Gold  Disk 
applications  with  other  DON  users  not  served  by  NMCI  (IT-21,  MCTN,  and  OCONUS),  with  DoD/Joint 
partners,  and  with  major  acquisition  partners.  The  products  and  data  produced  on  NMCI  desktops 
must  be  managed  to  ensure  that  all  current  and  future  versions  of  the  Gold  Disk  support  the 
information  exchange  requirements  of  the  Navy  and  Marine  Corps  mission,  to  include  backward 
compatibility.  Standard  Office  Automation  Software  interoperability  will  be  measured  in  two  ways:  (1) 
proof  of  interoperability  and  (2)  Help  Desk  Interoperability  Trouble  Tickets. 

-The  proof  of  interoperability  is  to  establish  and  maintain  connection  for  the  purpose  of  transferring 
standard  office  products  between  the  test  client  and  a  set  of  representative  test  sites.  This  set  is 
described  in  the  Interoperability  Test  Plan.  Gold  Disk  applications  will  be  exercised  by  scripts 
operated  from  user  agents  installed  at  network  devices  located  within  NMCI  and  at  external  locations 
including  IT-21/MCTN,  DoD/Joint  and  commercial  partner  (major  acquisition  partners).  The  proof  of 
interoperability  is  successful  end-to-end  testing  between  the  test  client  and  remote  test  site  and  is 
defined  by  the  receipt  of  an  anticipated  script  response.  Failure  equates  to  (2)  two  consecutive 
unsuccessful  executions  of  a  single  application  script  from/to  the  same  sites.  Measurement  will  be 
performed  by  schedule  and  by  event  (to  include  introduction  of  a  new  application  version);  additional 
measurements  will  be  performed  as  appropriate  to  ensure  interoperability. 

-  Interoperability  will  also  be  assessed  by  submission  by  users  of  Help  Desk  Interoperability  Trouble 
Tickets.  The  definition  of  interoperability  failure  is  exceeding  the  Government  and  ISF  agreed  upon 
Help  desk  reporting  threshold  value. 

The  interoperability  measurement  must  capture  two-way  functionality.  Notification  of  the  Government 
is  required  for  Office  Automation  Software  failure  established  by  the  DON;  the  timeliness  of  reporting 
is  stipulated  in  the  Level  of  Service  metric. 

Who:  Contractor 

Frequency:  Measured  a  minimum  of  once  monthly 
for  user  agents;  continuously  for  Help  Desk. 
Reported  monthly. 

Where:  Measured  from  an  NMCI  user  agent 
(located  at  an  NMCI  workstation)  or  an  equivalent 
client  configuration  operated  from  a  NOC  test 
installation  to  test  points  identified  in  the  NMCI 
Interoperability  Test  Plan,  to  include  NMCI, 
DoD/Joint,  and  at  least  one  Commercial  (Major 
Acquisition  Partner).  Help  Desk  data  will  be 
captured  from  interoperability  trouble  reports. 

How  measured:  1)  End  User  Incident  Reports  to 
Help  Desk,  and  Remote  Locked  Down 

Workstation  test  results  by  running  scripts. 
Collection  and  analysis  granularity  will  be  by  test 
site  for  script-based  tests;  by  organization,  site, 
claimant/command  for  trouble  ticket  based 
reports. 

B  Value 

Pre-Negotiation 

Contract  SLA 

Level  of  Service  (1 ) 

Notification  within  six  (6) 
hours 

Level  of  Service  (2) 

N/A 

Level  of  Service  (3) 

Notification  within  three 
(3)  hours 

Performance  Category  4: 

Customer  Satisfaction 

Performance  Measure  Description:  Level  of  customer  satisfaction. 

Who:  Contractor 

Frequency:  Initially  measured  at  six  month 
intervals  for  first  year  of  contract  and  then  yearly 
thereafter. 

Where:  NMCI  Customers  using  service 

How  measured:  Customer  survey,  random 
sampling  of  NMCI  customers  using  this  service. 

B  Value 

Pre-Negotiation 

Contract  SLA 

Level  of  Service  (1) 

0.85  satisfactory  rating 

0.85  satisfactory  rating 

0.85  satisfactory  rating 

Level  of  Service  (2) 

0.85  satisfactory  rating 

0.85  satisfactory  rating 

0.85  satisfactory  rating 

Level  of  Service  (3) 

0.90  satisfactory  rating 

0.85  satisfactory  rating 

0.85  satisfactory  rating 

Table  1:  NMCI  SLA  2  Analytical  Description,  from  the  original  NMCI  Contract 
N00024-00-D-6000,  30  Oct  2002 
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The  following  Table  (Table  2)  provides  the  cumulative  list  of  SLA,  still  in  effect 
within  the  NMCI  contract. 


NMCI  Services  (per  Attachment  1) 

Service  Level 
Agreement 
(SLA) 
Provided 

User  Upgrades 

Desktop  Hardware  and  Operating  System 

1 

End  User  Services 

Standard  Office  Automation  Software 

2 

E-mail  Services 

3 

Directory  Services 

4 

File  Shared  Services 

5 

Web  Access  Services 

6 

Newsgroup  Services 

7 

Multimedia  Capabilities  Services 

Deleted 

Print  Services 

9 

NMCI  Intranet  Performance 

10 

NIPRNET  Access 

1 1 

Internet  Access 

12 

Mainframe  Access 

13 

Desktop  Access  to  Government  Apps 

14 

Moves,  Adds,  and  Changes 

15 

Software  Distribution  and  Upgrades 

16 

User  T raining 

17 

Deleted 

Unclassified  Remote  Access 

18 

Classified  Remote  Access 

19 

Portable  Workstation  Wireless  Dial-in 

20 

Organizational  Messaging  Services 

20A 

Desktop  VTC  (hardware  &  software) 

21 

Deleted 

Deleted 

Voice  Communications 

22 

Voice  Mail 

22A 

Maintenance  and  Help  Desk  Services 

Basic  Help  Desk  Services 

23 

Communications  Services 

Wide  Area  Network  Connectivity 

24 

BAN/LAN  Communications  Services 

25 

Deleted 

Deleted 

Moveable  Video  Teleconferencing  Seat 

26 

Deleted 

Proxy  and  Caching  Services 

26A 

External  Networks 

27 

Systems  Services 

Network  Management  System  Services 

28 

Operational  Support  Services 

29 
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Capacity  Planning 

30 

Domain  Name  Server 

31 

Application  Server  Connectivity 

32 

Network  Operations  Display 

32A 

Information  Assurance  Services 

NMCI  Security  Operational  Services 
General 

33 

NMCI  Security  Operational  Services  PKI 

34 

NMCI  Security  Operational  Services 
SIPRNET 

35 

NMCI  Security  Planning  Services 

36 

Advanced  Application  and  IM  Support 

Delete 

Delete 

Other  Requirements 

Integrated  Configuration  Management 

36A 

Integration  and  Testing 

36  B 

Technology  Refreshment 

36C 

Technology  Insertion 

36D 

Sea-Shore  Rotation  Support 

Sea-Shore  Rotation  Support  Training 

37 

Table  2:  Cumulative  NMCI  Standard  Target  Performance  Measures,  from  the  NMCI 


Contract  N00024-00-D-6000,  30  October  2002 


Figure  16:  Breakdown  of  NMCI  SLAs,  by  Captain  Chris  Christopher,  from  the  NMCI 

Briefing  for  the  Joint  Logistics  Council,  29  March  2001 
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3.  The  Transition  towards  NMCI 

a.  Companies  Involved 

EDS,  as  the  coordinator  of  the  NMCI  contract  has  assumed  the 
responsibility  for  providing  all  assets  and  services  needed  to  ensure  the  transmission  of 
voice,  video  and  data  across  DoN.  In  order  to  fulfill  the  requirements  of  the  contract, 
EDS  has  fonned  a  partnership  with  leading  businesses  in  the  domain  of  IT,  under  the  title 
Information  Strike  Force  (ISF).  Their  roles  and  responsibilities  are  as  follows: 
(www.nmci-isf.com  (EDS-NMCI  Team),  accessed  February  2004) 

•  EDS  for  overall  service  delivery 

•  Raytheon  for  security  and  information  assurance 

•  MCI  for  the  Wide  Area  Network  (WAN) 

•  WAM!  NET  for  Base  Area  Network  (BAN)/  Local  Area  Network 
(LAN)/Metropolitan  Area  Network  (MAN) 

•  General  Dynamics  for  the  BAN/LAN/  MAN 

•  Robbins-Gioia  for  project  scheduling 

•  Cisco  for  routers  and  switches 

•  Microsoft  for  software 

•  Dell  for  desktops,  laptops,  servers  and  enterprise  storage  systems 

•  Dolch  for  desktop  and  portable  embarkables 

•  Dataline  for  voice  services 

•  Hundreds  of  small  businesses  for  help  desk,  network  operations 
center  and  field  services 

b.  The  Plan  Used 

The  transition  to  NMCI  is  divided  into  distinctive  phases,  resulting  into 
an  evolutionary  process  used  to  gradually  transform  USN  and  USMC  sites  from  the 
previous  IT  environment  towards  NMCI.  The  idea  is  to: 

•  Adopt  an  incremental  approach 

•  Leverage  current  contractors 

•  Use  empowered,  on-site  teams 
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Minimized  disruptions  to  ongoing  operations 


Transition  Process 


Phase 


Phase  II 

Phase  III 

Phase  IV 

Site  Preparation 

Site  l  ranstormation 

Achieving  SLA 

Preparing  for  Change 

IVbhing  Change 

Proving  SLA’s 

Operate  and  Maintain 

Configure  and  hstall 

Monitor  Enterprise 

As-ls  Environment 

Equipment 

and  Site  Services 

Train  Users  with  Heavy 

Roll-Out  Desktops 

Monitor  and  Report 

Emphasis  on  Change 

Start  Cutover  to 

SLA’s 

Management  Practices 

1 

Enterprise  Services 

Address.'Fix 

Furnish,  Install  and 

1 

Monitor  and  Report 

Performance  Issues 

Test  Site  Enterprise 

I 

SLAs 

Continue 

Test  Site-Specific 

K 

Conect  Areas  That 

Infrastructire  Work 

Building  Blocks 

1 

Are  Not  Meeting  SLAs 

Conduct 

Begin  Inffastructire 

1 

Configrration  Audit 

I 

Continue  HavyMariie 

Prepare  Lessons 

1 

Infrastructure 

| 

Learned 

Finalize 

Facilitate  Equipment 

Implementation/ 

Retro^ade 

Cutover  Plans 

Logistic  Planning  and 

Stage  Equipment 

Detailed  Engineering 


Planning  Change 
Activity  Briefngs 
Activity  All  Hands  Briefings 
Transition  Government  Workers 
Contract  far  Local  Workforce 
Complete  Site  Concnrence 
Memorandum 

Conduct  Detailed  Engineering  for 
Site.  Perform  Site  Survey  and 
Asset  Inventory  Document 
System  Baselhe 

Engineer  Site  Enterprise 
Conduct  Facilities  Plannhg 

Engineer  Site-Specific  Building 
Blocks 

Submit  Secirity  Accreditation 
Documents 

Interm  Authority  to  Operate 
Received 

Order  Finalization 
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AOR 


Start  of 
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Change  Management  Practices  Applied  Throughout 
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Figure  17:  Transitioning  Sites  into  NMCI. 

In  more  details  the  procedure  and  its  supporting  activity  can  be  broken 
down  as  follows  rwww.nmci.navy.mil  (Transition  to  NMCI),  accessed  February  2004) 


Phase  1:  Pre-AOR  [Planning  Phase] 

The  planning  phase  begins  when  DoN  awards  a  task  order  for  NMCI 
services  to  the  ISF.  During  this  phase,  the  ISF  collects  the  information  it  needs  for  initial 
work  force  development  and  planning  activities  based  on  the  total  site 
order.  Assumption  of  Responsibility  (AOR)  is  defined  as  the  date  when 
responsibility  for  operating  the  "as-is"  (current  IT)  environment,  for  work  defined 
by  the  ordered  NMCI  CLINs,  shifts  from  the  government  and  its  local  contractors 
to  the  Information  Strike  Force  (ISF).  During  this  phase,  ISF  validation  teams  arrive 
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on  the  implementation  location  to  begin  collecting  data  and  to  coordinate  long  lead-time 
activities.  The  validation  teams  assess  infonnation  technology  and  warehouse  facilities, 
security  accreditation,  legacy  applications,  and  WAN  provisioning.  The  teams  also  begin 
to  make  detailed  assessments  of  the  Base  Area  Network/Local  Area  Network 
(BAN/LAN)  and  the  existing  desktop  and  server  environments,  and  collect  additional 
information  on  security  hardware  in  order  to  finalize  the  NMCI  design.  The  following 
means  are  used  to  coordinate  activities: 

•  Preliminary  Site  Questionnaire  (PSQ):  Collection  tool  that  assists 
commands  in  collecting  required  data  prior  to  their  transition  to  the  NMCI 
environment.  Includes  detail  about: 

o  Data  Network  Organization 

o  Registered  IP  Addresses 

o  Current  Network  Infrastructure  Components 

o  Current  Servers 

o  Wide  Area  Network  (WAN) 

o  Local  Area  Network  (LAN) 

o  Legacy  Software  Applications  (non-COTS) 

o  COTS  Software  Applications 

o  Existing  Hardware 

o  Trouble  Call  /  Help  Desk  Support 

o  COMSEC 

o  Information  Assurance 

o  Contracting  /  Procurement 

•  AOR  Checklist:  Defines  the  actions  required  by  ISF,  the  customer 
and  the  government  Program  Office  to  achieve  ISF  Assumption  of  Responsibility 
at  a  site. 
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•  Site  Concurrence  Memorandum  (SCM):  Define  the  roles  and 
responsibilities  of  the  ISF  and  Navy  Marine  Corps  organizations  at  individual 
sites  for  the  accomplishment  of  transition  to  NMCI 

•  Government  Furnished  Facility  (GFF)  Checklists:  Assess  the 
suitability  of  proposed  government-furnished  facilities  for  use  as  server  farms  and 
supporting  facilities,  by  the  ISF  team 

•  List  of  Potentially  Impacted  Federal  Civilian  Employees:  (Self- 
explanatory) 

•  Contractor  Ordering  Process:  Amplifying  information  on  ordering 
NMCI  services  for  government  contractors  who  support  the  DoN 

Phase  2:  AOR  to  Cutover  [Site  Preparation] 

During  the  site  preparation  phase,  the  ISF  team  completes  the  build  out 
necessary  for  the  operation  of  NMCI.  Activities  include  furnishing,  installing,  and  testing 
the  NMCI  site  enterprise,  and  beginning  infrastructure  work  in  order  to  finalize 
implementation  and  cutover  plans.  The  following  tools  are  used  during  this  phase: 

•  Cutover  Checklist:  The  Cutover  Checklist  defines  the  actions 
required  of  all  those  involved  to  achieve  start  of  Cutover  to  NMCI. 

•  Legacy  Applications  Transition  Guide:  Governs  required  actions 
for  collecting  detailed  information  on  legacy  applications  prior  to  transitioning  to 
NMCI. 


o  ISF  Tools  Web  Site/IT  Survey  Tools  &  Related  Files: 
Legacy  application  information  and  application  certification  status 
information. 

o  Classified  Legacy  Applications  Rationalized  List 
Template:  Guidance  for  submission  of  classified  legacy  applications. 
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o  NMCI  Legacy  Applications  Submissions  Guide:  Describes 
how  to  submit  unclassified  and  classified  application  media  for  NMCI 
certification  &  validation  testing. 

o  Engineering  Review  Questionnaires:  Completed  to 
facilitated  accreditation  process. 

o  NMCI  Release  Development  &  Deployment  Guide: 

Information  and  guidance  to  developers  interested  in  migrating  content, 
introducing  new  applications,  or  changing  existing  applications  within 
NMCI. 

Phase  3:  Cutover  [Site  Transformation] 

Cutover  is  the  final  major  milestone  in  the  NMCI  transition  process.  It  is 
that  date  when  the  ISF  and  government  site  personnel  initiate  the  deployment  of  NMCI 
seats  and  services  on  site.  Tools  used  to  support  the  procedure  are: 

•  Cutover  Checklist:  The  Cutover  Checklist  defines  the  actions 
required  to  achieve  start  of  Cutover  to  NMCI 

•  Workstation  Migration: 

o  Ready  Guide:  overview  of  processes  and  procedures 

leading  to  the  installation  of  NMCI  seats  and  the  software  training 
programs  available  after  installation 

o  Workstation  Set  Guides:  Step-by-step  instructions  for  the 
user  to  prepare  the  existing  workstation  for  the  rollout  process 

o  Desktop  User  Share  Guides:  Assist  in  transferring  the  user 
file  access  available  between  Legacy  workstations,  called  desktop  user 
shares,  to  the  networked  environment  of  NMCI. 

o  Workstation  Migration  User  Guide 

•  Legacy  Microsoft  Server  Migration  Guide:  Establishment  of 

strategy  for  integrating  legacy  application  servers  with  NMCI. 

•  Remote  Access  Service  Guides 
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Outlook  Web  Access  Users  Guide 
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igure  18:  Summary  of  the  Activity  to  Transition  towards  an  Operational  Site  with 
NMCI 


Phase  4:  Meeting  SLAs-[Site  Operational] 

The  building  activity  of  the  site,  to  include  testing  of  the  facility,  has 
finished  and  the  site  is  now  under  the  EDS-ISF  technical  responsibility  and  support.  The 
driver  behind  the  operational  concept  is  to  confonn  to  the  SLAs  that  describe  the  desired 
level  of  services. 

4.  Key  Policies  and  Regulations 

a.  NMCI  Interoperability  and  C 41  Support 

DoN  was  committed  to  ensure  that  interoperability  within  Naval 
establishments  and  with  the  joint  community  within  DoD  would  not  be  degraded  in  the 
new  IT  environment  and  used  NMCI  to  lay  the  groundwork  for  significant  improvements 
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in  the  domain  of  communications.  The  NMCI  project  would  ensure  continued 
interoperability  within  the  GIG  and  along  with  other  Department  of  Defense  Enterprise 
level  applications,  while  through  the  NMCI  contract  requirements  DoN  would  maintain 
access  to  all  legacy  applications.  Two  major  aspects  of  interoperability  had  been 
identified  for  special  emphasis: 

•  Operational  Architectures 

•  Compatibility  of  NMCI  IT  services  with  existing  external 
applications 

Interoperability  and  C4I  Support  were  documented  as  firm  NMCI 
requirements  throughout  the  NMCI  Request  for  Proposal  and  in  the  Test  Planning  related 
documentation.  Additionally,  DoN  imposed  the  requirement  for  the  NMCI  vendor  to 
generate  and  use  a  separate  Interoperability  Test  Plan.  The  NMCI  RFP  incorporated  a 
draft  Interface  Control  Document  (ICD)  that  cited  specific  standards,  interfaces  and 
partners  for  which  interoperability  had  to  be  maintained.  This  document  provided 
detailed  descriptions  and  specifications  of  the  interfaces  between  the  NMCI  and  other 
Defense  related  networks.  The  ICD  was  used  to  enforce  the  NMCI  vendor  to  comply 
with  the  Joint  Technical  Architecture  (JTA)  [Note  2],  The  NMCI  RFP  established  SLAs 
that  include  interoperability  metrics  requiring  both  real  time  threshold  reporting  and 
periodic  reporting.  The  NMCI  vendor  was  required  to  propose  specific  mechanisms  to 
measure  interoperability  of  23  separate  services.  (NMCI  Report  to  Congress,  30th  of  June 
2000,  p.  D-4-1) 

b.  Test  and  Evaluation  Strategy 

The  NMCI  contract  provides  for  Inspection  and  Acceptance  as  the  method 
for  verifying  that  the  services  provided  by  the  Contractor  are  in  compliance  with  the 
requirements  of  the  contract.  Inspection  and  acceptance  should  be  performed  using  a 
combination  of  the  following  two  methodologies  and  demonstration  of  successful  service 
delivery  is  defined  as  successfully  completing  both  aspects: 

•  Contractor  executed  testing  and  verification  against  contract 
requirements  with  contractor-developed  and  Government-approved  test  processes 
and  procedures. 
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•  Government  execution,  with  contractor  support,  of  government 
developed  test  processes  and  procedures.  (NMCI  Report  to  Congress,  30th  of  June 
2000,  p.  D-5-1) 

NMCI  services  Inspection  and  acceptance  were  divided  into  two  distinct  periods: 

•  Proof  of  concept  testing  and  evaluation.  (NMCI  First  Installation 
Increment)  Successful  completion  of  proof  of  concept  testing  and  evaluation 
constituted  achievement  of  Initial  Operational  Capability  (IOC)  for  the  NMCI 
implementation 


•  Transition  testing  and  evaluation 

c.  NMCI  Governance 

Federal  statutes,  DoD  and  DoN  directives  provide  the  overarching  policy 
that  governs  every  aspect  of  NMCI  and  the  related  computing  environment.  The  Director 
NMCI  is  manages  the  acquisition  of  NMCI  and  provides  additional  acquisition  guidance 
to  the  Navy  and  Marine  Corps  NMCI  Program  Managers,  while  operating  within  the 
policy  constraints  of  DoD’s  acquisition  regulations  framework. 


NMCI  Operational  Relationships 


Naval  Network  and  Space  Operations  Command  was  Established  on 
July  2002,  Headquartered  in  Dahlgren,  VA 

—Merger  of  the  Naval  Space  Command  &  Naval  Network  Operations  Command 
—Mix  of  officers,  enlisted,  civilian  personnel 
—Naval  Network  &  Space  Operations  Center 
•Maintain  24/7  watch 
•Global  Fleet  support 

•Alternate  Space  Control  Center  Function 


Figure  19:  The  NMCI  Operational  Relationships-Historic  Evolution  and  Purpose 
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The  Navy  and  Marine  Corps  organizations  responsible  for  network 
operations  and  security  oversee  the  operation  of  NMCI.  Within  the  Navy  this  is  Naval 
Network  and  Space  Operations  Command  (NNSOC).  Within  the  Marine  Corps  this  is 
the  Director  Headquarters  Marine  Corps  C4.  These  organizations  work  closely  to 
develop  operating  and  security  policies  that  govern  the  day-to-day  operations  of  the 
NMCI.  These  policies  reflect  higher-level  guidance  from  the  DoD,  the  Joint  Chiefs  of 
Staff,  and  the  Department  of  the  Navy  CIO,  along  with  the  Navy  Information  Officer  and 
the  Marine  Corps  Chief  Information  Officer,  rwww.nmci.navy.mil  (Policy  Statement), 
accessed  February  2004) 


NMCI  Governance 

•  Stake  Holder’s  Council  (SHC) 

-  Co-chairs  NAVNETWARCOM  &  HQMC  C4 

•  Meets  twice  per  month 

•  Purpose : 

-  Forum  for  DoN  claimants  &  major  commands 

-  Enterprise  level  review  &  approval  of  NMCI  requirements 

-  Enterprise  level  review  &  approval  of  NMCI  resource  priorities 

-  Review  and  approve  : 

»  Policy 
»  Standards 
»  Architecture 
»  Applications 
»  Planning  process  results 


Figure  20:  NMCI  Governance,  from  Rear  Admiral  J.  P.  Cryer,  U.S.  Navy,  Commander  of 
Naval  Network  and  Space  Operations  Command,  NMCI  Operations  Brief  at  the  NMCI  - 
Industry  Symposium,  1 8  June  2003 

NNSOC  is  the  operational  arm  of  NETWARCOM  for  network  and  space 
operations.  NNSOC’s  role  in  NMCI  Network  Operations  is  as  follows: 

•  Global  Network  Operations  Center  (GNOC)-Detachment  Norfolk 
supporting  3 10,000  planned  users  by  end  of  year  2003 


NNSOC  teams  with: 
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o  Director  NMCI  for  NMCI  cutovers  &  installs 

o  SPAWAR  PMW-161  for  contract  issues 

o  Operational  Direction  in  support  of  Fleet  Commanders 

o  Supports  NETWARCOM  NMCI  Governance  process 

o  Maintains  NMCI  Security  oversight 

o  Manages  Sea  Shore  Rotation  (SSR)  for  associated 
personnel 

NMCI  Security  roles  can  be  summarized  as  follows: 

•  Administration  (NAVNETWARCOM) 

o  Designated  Approval  Authority  (DAA) 

o  Establishes  policies  and  procedures  for  all  Navy  networks 

o  Approves  Certification  and  Accreditation  of  the  network 

•  Operations  (NNSOC) 

o  Directs  the  contractor  (EDS)  at  the  operational  level 

o  Implement  Information  Assurance  Vulnerabilities-Alerts  / 

Bulletins  /  Technical  Advisories 

o  Change  Information  Conditions  (INFOCON) 

o  Ensures  adherence  to  DoD/DoN  security  policy 

o  -Manages  contractor’s  responses  to  security  incidents 

5.  Impact  on  the  DoN  Mission 

NMCI  has  the  potential  to  enhance  and  improve  enterprise-wide  working 
procedures  and  training,  by  providing  common  IT  services  across  the  Navy  &  Marine 
Corps  enterprise.  Additionally,  by  having  as  a  requirement  the  support  of  new  initiatives 
such  as  knowledge  management,  distance  learning,  and  telemedicine,  it  has  the  potential 
to  significantly  improve  the  quality  of  life  for  Department  of  the  Navy  employees  and 
support  personnel.  By  bringing  together  the  Navy  and  Marine  Corps  ashore  workforce 


45 


into  a  common  IT  infrastructure,  NMCI  will  foster  greater  levels  of  communication, 
collaboration  and  sharing  of  ideas  than  would  ever  have  been  possible  before. 

The  BCA  for  the  NMCI  strongly  emphasized  that  the  previous  IT  environment 
was  providing  adequate  operational  and  strategic  support  for  the  DoN  mission.  NMCI  is 
introduced  with  the  aim  to  be  the  tool  enabling  and  the  driver  supporting  innovations  in 
business  processes  and  practices  that  are  necessary  to  create  a  totally  new,  improved 
Naval-operating  environment,  with  significant  financial  savings  through  superior 
management  of  resources  and  personnel.  The  idea  of  widely  available  data  that  is 
consistent  throughout  the  enterprise  will  promote  fundamental  changes  in  the  way  the 
Navy  is  conducting  its  business  or  transactions,  training  sailors  and  even  supporting 


critical  war-fighting  tasks. 


Current  Environment 

Requirement  (NMCI) 

Large  disparity  in  quality  of  service  across 

the  DoN 

Consistent  (high)  level  of  service  for 
ALL  DoN  end  users 

Redundant  procurement,  sourcing  and 
support  infrastructures 

Consolidated  sourcing,  support  and 
procurement 

Unmanaged  cost  environment  -  allocated 
from  a  variety  of  budget  sources  (IT  budgets,  end  of 
year  money,  etc.).  Lack  of  visibility  into  true  cost  of 
IT. 

Cost  is  discrete,  competitive  with 
current  IT  spending.  Full  visibility  into  cost  of 
IT  services. 

Fragmented,  inconsistent  and  informal  Help 

Desk. 

“One-stop”  help  desk  support. 

Non-IT  systems  adversely  impacted  by 
inconsistent  performance  of  IT  systems  and  current 
support  model. 

Improved  productivity  for  all  IT  users. 

Insufficient  asset  management. 

Comprehensive  asset  management, 
tracking,  and  configuration  control  standard  in 
commercial  best  practices.  Asset  management 
role  switched  from  DoN  to  vendor. 

Navy  personnel  managing  many  networks. 

Allow  DoN  personnel  to  refocus  on 
core  mission.  Key  network  attributes  managed 
through  a  central  DoN  IT  organization. 

Table  3:  Comparisons  Made  Between  the  Previous  and  the  Expected  NMCI  IT 


environment,  from  the  BCA  for  the  NMCI 

Last  but  not  least,  NMCI  will  provide  significantly  improved  level  of  security, 
with  protection  from  outside  attack  as  well  as  internal  safeguards.  From  a  technology 
standpoint,  NMCI  is  not  only  intended  to  address  the  problems  that  various  commands 
experienced  in  the  past  when  attempting  to  share  information  through  collaborative  tools 
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and  e-mail.  With  the  continuous  focus  on  security  that  has  become  a  critical  concern  for 
military  and  industry  organizations  alike,  a  cohesive  system  will  reduce  the  number  of 
potential  entryways  that  increase  organizations'  vulnerabilities  to  information  operations 
and  “malicious  cyber-activity”. 
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Figure  2 1 :  NMCI  Impact  for  DoN,  at  the  Enterprise  Level 


The  idea  behind  NMCI  is  to  create  a  system  that  will  enable  the  Navy  to  carry  out 
all  kinds  of  service-wide  initiatives,  from  providing  a  portal  for  common  information  to 
streamlining  training  opportunities.  Over  the  long  term  this  contract  should  permit  more 
frequent  refresh  of  hardware,  infrastructure  upgrades,  enterprise  distribution  of  advanced 
applications,  and  continuous  improvement  in  operations.  The  economic  benefits  of  NMCI 
include  fixed  per-seat  pricing;  the  economy  of  scale  -  buying  from  a  single  provider; 
shared  cost  savings;  and  regular  technology  refreshes  to  upgrade  hardware  every  three 
years  and  software  every  two  years  at  no  additional  cost. 


The  benefits  of  the  NMCI  environment  include  a  significant  reduction  in  the  Total 
Cost  of  Ownership  for  the  DoN  IT  infrastructure  that  will  accompany  improved  and 
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consistent  levels  of  service  and  perfonnance  for  all  Navy  and  Marine  Corps  CONUS  IT 
customers.  The  contractor  will  handle  systems  administration,  purchasing,  training  and 
maintenance,  allowing  more  sailors  and  marines  to  concentrate  on  their  core  mission  or 
even  re-assigned  to  different  tasks.  At  the  same  time,  users  will  have  quicker  access  to 
the  most  up-to-date  equipment  without  costly  procurements  or  large  up-front  capital 
expenditures. 

NMCI  has  a  favorable  impact  on  the  Navy  in  the  following  three  areas: 

1.  Mission 

•  NMCI’s  integrated  approach  allows  operations  staff  to  coordinate 
their  efforts  quickly  and  efficiently  to  make  decisions  and  provide  ready  access  to 
the  real-time  infonnation  needed  to  make  decisions.  This  yields  improved  access, 
interoperability,  and  security. 

•  Operational  readiness  improvement  as  a  consequence  of  the 
dependable  connectivity  that  NMCI  will  provide  and  the  more  efficient 
telecommunications  operations  that  are  not  achievable  with  DoN’s  current  IT 
infrastructure. 

•  Increased  productivity  achieved  through  better  access  to 
information  services,  better  connectivity  with  peers  and  other  organizations, 
improved  communications/interoperability,  and  ease  of  use  across  platforms  (i.e., 
same  look  and  feel  of  the  access  point)  regardless  of  location. 

•  Improved  productivity  at  the  command  level  through  streamlined 
budgeting  and  planning,  on-line  training  and  enterprise  software  deployment. 

2.  Technical  Architecture 

•  Improved  business  processes  through  enhanced  standardization 
and  hannonization  of  IT  services,  ability  to  keep  pace  with  technological  change, 
increased  reliability  and  availability. 

•  Enabling  ERP,  which  is  a  principal  Navy  Revolution  in  Business 
Affairs  (RBA)  Initiative. 
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•  Establishment  of  desktop  and  server  standards  and  configurations, 
many  of  which  could  be  rolled  out  remotely  via  the  Internet  and  administered 
from  a  centralized  point  within  the  new  support  model. 

•  More  consistent  Help  desk  learning  as  the  number  of  different 
types  of  hardware,  software,  and  configurations  will  decrease  allowing  help  desk 
technicians  to  better  focus  on  the  environment  they  are  maintaining. 

•  Extended  sharing  of  knowledge  and  expertise  worldwide. 

•  Improved  VTC  capability. 

3.  Personnel  /  Service 

•  Creation  of  collaborative  information  databases  and  resources. 

•  Empowered  innovative  work  and  training  solutions. 

•  Enhanced  quality  of  life  and/or  work  for  every  Marine,  Sailor,  and 
civilian  in  the  DoN  workforce.  By-products  of  NMCI  such  as  on-line  training,  a 
standard  look  and  feel  across  the  Naval  IT  spectrum,  a  consolidated  Help  Desk 
and  MO  S/NEC  stability  and  retention  will  each  contribute  to  the  enhanced  quality 
of  life  (Booz,  Allen  and  Hamilton  Inc.,  Business  Case  Analysis  (BCA)  for  NMCI, 
(Contract  GS-23F-0755H),  6/30/200,  pp.  75-77) 

To  summarize,  this  new  approach  towards  IT  will  help  USN  and  USMC  meet  the 
following  objectives:  (www.nmci-isf.com  (About  NMCI),  accessed  January  2004) 

•  Enhanced  network  security 

•  Interoperability  among  them  as  well  as  other  Services 

•  Instant  Web  access 

•  Knowledge  sharing  across  the  globe 

•  Consistent  office  environment 

•  Increased  productivity 

•  Improved  systems  reliability  and  quality  of  service 

•  Reduced  cost  of  voice,  video  and  data  services 

•  Better,  faster  decision-making 

•  Greater  productivity  reduced  costs 

•  Increased  combat  readiness 
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B.  SUMMARY  AND  CONCLUSION  FOR  THE  EARLY  STAGES  OF  NMCI 

The  previous  DoN  computing  environments  were  so  varied  and  complex  that  it 
was  exceedingly  difficult  to  communicate  electronically  across  the  Department. 
Virtually  every  major  command  and  installation  has  its  own  process  for  acquisition, 
management,  maintenance,  and  disposal  of  IT  systems.  Without  a  single  DoN  source  for 
configuration  control  and  minimal  hardware  standards,  the  local  and/or  regional  IS 
management  staff  often  set  standards  without  integration  of  the  tactical,  operational,  and 
strategic  requirements  of  communications  across  DoN  organizations.  The  Navy  Marine 
Corps  Intranet  (NMCI)  is  an  information  technology  (IT)  services  contract  to  provide 
reliable,  secure,  and  seamless  infonnation  services  to  the  shore-based  components  of  the 
Navy  and  Marine  Corps. 

The  approach  offered  by  the  Infonnation  Strike  Force  (ISF),  a  partnership  of 

companies  with  world  wide  recognition  under  the  coordination  of  EDS,  a  leading 

company  in  providing  E-business  and  infonnation  technology  services  to  government  and 

commercial  clients  around  the  world,  uses  an  incremental  delivery  plan  to  create  a  single, 

integrated  network  IT  environment,  with  standardized  software  suites  and  one  security 

architecture  in  order  to  maximize  security  and  enhance  perfonnance  and  interoperability 

across  the  entire  spectrum  of  the  Department  of  the  Navy  (DoN)  agencies 

1.  Analytical  Breakdown  of  NMCI  Implementation  Events  up  to  the 
Year  2003. 

1999 

July  7:  Navy  briefs  industry  on  NMCI 
Oct.  6:  Request  for  infonnation  released 
Dec.  23:  RFP  released 

2000 

Apr.  28:  Revised  solicitation  released 

May  11:  Congress  decides  to  withhold  money  for  at  least  two  months  after  the  Navy 
justifies  the  project  to  the  Hill 

June  19:  Proposals  submitted  by  EDS,  CSC,  IBM  and  General  Dynamics 
June  30:  NMCI  report  to  Congress 
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July  21:  Questions  from  Congress  postpones  award  until  Sept.  1 
Sep. 01:  Award  delayed  again  for  more  questions 
Oct.  02:  Award  postponed  again 
Oct.  06:  EDS  wins  contract 

2001 

Feb.:  EDS  takes  responsibility  for  28,250  seats 

Mar.:  An  additional  13,985  seats  added  to  the  contract,  giving  EDS  responsibility  for 
42,235  at  26  Navy  facilities 

July  9  :  First  network  center  in  Norfolk  opens;  Sen.  John  Warner,  R-Va.,  questions 
commercial  testing  of  NMCI 

Aug.  2:  House  Armed  Services  Committee  proposes  Marines  not  be  part  of  NMCI. 
Proposal  later  dropped 

Aug.  6:  Second  network  center  in  San  Diego  opens 

Aug.  28:  Navy  and  Department  of  Defense  settle  dispute  over  how  to  test  NMCI 
Sept.  7:  First  sailor  logs  on 

Sept.  25:  Contract  modification  lowers  fiscal  2002  payment  to  EDS  to  $600  million  from 
$728  million;  Congress  requests  more  monitoring 

Sept.:  310  of  3,100  NMCI  contract  employees  laid  off  by  EDS  because  of  slow  rollout  of 
the  system 

Oct.  18:  Naval  Reserve  Air  Facility- Washington  with  400  seats  becomes  first  facility  to 
exclusively  use  NMCI 

Nov.:  Rollout  begins  for  3,500  seats  at  the  Naval  Air  Station  in  Lemoore,  Calif.,  and  for 
1 ,000  seats  at  the  Patuxent  River  Naval  Air  Station  in  Maryland 
December:  Phase  3  testing  and  evaluation  begins 

(www.washingtontechnology.com  (Timeline  of  NMCI  in  the  startup  of  the  program) 

accessed  January  2004) 

2002 

January:  Navy  begins  search  for  NMCI  leader.  Rear  Admiral  Charles  Munns,  U.S. 

Navy,  is  appointed  NMCI  director 
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March-May:  Testing  Phase  completed,  triggering  order  but  not  transitioning  for  100,000 
additional  seats. 

June:  NNSOC  is  created. 

August:  Start  of  monitoring  the  level  of  SLAs.  Congress  imposes  a  cap  of  60,000  seats 
until  EDS  reached  more  of  its  service  level  agreements 

August:  Testing  of  the  operation  of  the  enterprise  management  system  for  the  SLA  level. 
October:  Testing  completed,  announcement  of  mixed  results. 

October:  Expansion  of  the  baseline  timeframe  is  agreed  between  DoN  and  EDS. 

December:  Analysis  of  the  measurements  indicates  EDS  is  close  to  reaching  the  SLAs 

2.  Conclusions  for  the  NMCI  Start-Up 

The  NMCI  project  has  been  plagued  by  off-track  progress  from  the  very 
beginning.  During  the  first  year  of  the  contract,  NMCI  leaders  faced  issues  ranging  from 
how  to  handle  thousands  of  old  legacy  applications  to  questions  about  how  the  Pentagon 
will  oversee  the  program.  Nothing  similar  in  nature  and  magnitude  had  ever  before  been 
attempted:  the  reduction  of  hundreds  of  disparate  networks  across  the  globe  and  tens  of 
thousands  of  legacy  applications  into  one  single,  integrated  and  secure  intranet 
architecture.  Such  change  on  a  massive  scale  has  fueled  infighting  and  charges  of 
mismanagement.  The  potential  long  term  results,  in  terms  of  cost  avoidance,  increased 
security,  interoperability  and  advanced  capability,  were  considered  to  outweight  the  near 
term  discomfort.  Therefore,  based  on  the  idea  “better  late  than  never”,  the  decision  for  a 
revised  timetable  based  on  “event-driven”  facts  was  mutually  agreed  to  provide  a  more 
feasible  solution  for  the  NMCI  implementation. 

The  introduction  of  a  rigorous  testing  process  and  the  move  from  a  time -based  to 
an  event-based  schedule  reassured  many  on  Capitol  Hill,  and  when  a  program  manager 
was  named,  communication  with  Congress  and  oversight  of  NMCI  within  the  Navy 
improved  further,  therefore  turning  Congress  into  an  open  supporter  of  the  NMCI  effort. 
The  Navy's  decision  to  bring  a  two-star  admiral  in  to  run  the  program  indicated  its 
commitment  to  ensuring  that  the  required  change  would  take  place.  The  Navy  plans 
during  the  year  2002  were  to  complete  testing  of  the  Navy-Marine  Corps  Intranet  by  the 
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end  of  April  and  receive  permission  from  the  DoD  to  add  100,000  more  seats  to  the 
program,  (www.washingtontechnology.com  (NMCI  testing  Moves  Forward),  accessed 
February  2004)  Again,  the  target  date  was  lost  but  after  successful  completion  of  testing 
that  involved  checking  to  see  if  NMCI  was  secure,  reliable  and  compatible  with  other 
defense  systems  and  whether  service-level  agreements  were  met  the  future  started  to  look 
more  prosperous. 

A  managed  services  contract  requires  that  the  customer  focus  on  the  results 
provided  by  the  contractor  and  give  up  some  or  all  of  the  decision  making  involved  with 
implementing  those  services.  Because  of  this,  it  is  imperative  that  the  customer  has  the 
following  in  place,  preferably  well  in  advance  of  awarding  the  managed  services 
contract:  (www.belarc.com  (IT  as  a  Utility),  accessed  February  2004) 

•  An  accurate  and  complete  inventory  of  existing  computer  hardware, 
software  and  users.  That  element  was  totally  neglected  by  DoN  and  left 
until  the  contract  had  been  awarded  and  resulted  in  unpleasant  surprises, 
i.e.  the  estimated  number  of  legacy  and  quarantined  applications  that  had 
negative  impact  on  the  implementation  progress.  EDS  also  attributed  the 
technical  delays  to  the  extremely  large  number  of  legacy  applications 
discovered,  many  of  which  should  be  installed  on  kiosks  outside  of  the 
intranet  because  they  failed  the  security  testing  or  do  not  run  on  Windows 
2000. 

•  Realistic  goals  and  objectives.  The  setting  of  goals  and  objectives  is  what 
most  customers  focus  on,  however  without  an  accurate,  complete  and  up- 
to-date  baseline,  these  goals  can  be  unrealistic  from  the  start.  The  timeline 
involved  with  NMCI  was  over-optimistic  again,  with  a  negative  impact  in 
the  Congress’  confidence  in  the  program  and  the  Navy’s  workforce  morale 
without  a  concrete  change  management  plan  in  place.  On  the  other  hand, 
the  interaction  between  DoN  representatives,  industry  experts  and  end  - 
user  groups  made  possible  a  realistic  determination  of  SLAs  that  are  the 
foundation  of  the  NMCI  contract. 
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•  An  independent  performance  measurement  and  review  process.  The 

issue  is  that  the  service  provider  supplies  IT  infrastructure  and  services 
and  then  sends  the  customer  a  bill.  However,  the  customer  has  no 
independent  method  of  auditing  the  level  of  services,  systems,  software, 
and  networks  actually  provided.  The  solution  of  hiring  independent  parties 
to  do  the  NMCI  testing  along  with  auditing  activity  by  the  appropriate 
DoD  agencies  was  the  optimal  solution  to  ensure  the  NMCI  would  remain 
on  high  standards  and  the  outside  pressure  would  cause  the  contractor  “to 
cut  comers”. 

IT-21  implementation  was  the  initial  step  towards  shipboard  open 
communications.  Once  fully  in  place,  it  is  expected  to  enable  war-fighters  to  share 
classified  and  unclassified  tactical  and  non-tactical  information  through  a  single  network 
interface.  This  would  shorten  time  lines  and  increase  combat  power.  However,  this 
capability  will  probably  increase  the  demands  on  the  shore  information  technology 
infrastructure  and  create  a  “bandwidth”  burden.  We  are  never  going  to  be  able  to  provide 
enough  bandwidth  to  cover  the  demands  of  the  GIG,  so  the  alternative  solution  might  be 
to  manage  more  efficiently  the  quality  of  service  (QoS)  and  prioritize  the  flow  of 
information.  Providing  an  integrated  computing  infrastructure  that  allows  the  authorized 
end  user  to  communicate  seamlessly  across  the  DoN  enterprise  is  a  priority.  Therefore,  it 
is  critical  that  computing  devices  utilize  the  same  communication  protocols  and  have 
access  to  the  bandwidth  needed  to  facilitate  prompt  communication  and  collaboration. 

One  goal  of  the  NMCI  is  to  meet  this  demand  by  making  available  bandwidth 

“on  demand”.  In  conjunction  with  IT-21,  deployed  forces  will  have  readily  available 

access  to  maintenance,  logistics,  medical  and  personnel  data  that  resides  within  the 

supporting  ashore  establishments.  NMCI  could  facilitate  tele-maintenance  by  allowing 

deployed  personnel  to  address  a  problem  on  a  ship  via  on-line  communication  with 

technical  experts  ashore,  therefore  allowing  less-experience  personnel  onboard-deployed 

units  to  deal  with  far  more  complex  issues  than  they  are  qualified  to.  In  the  medical 

arena,  personnel  who  come  across  complex  situations  will  have  the  support  of  more 

experienced  medical  personnel  within  installations  ashore.  Web-based  collaborative  tools 

could  be  used  to  ensure  ease  of  communications  and  interactions  with  the  various 
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echelons  of  command.  This  collaborative  environment  would  facilitate  a  worldwide 
interactive  dialogue  and  by  offering  commanders  the  ability  to  share  knowledge,  not  just 
data,  it  could  significantly  improve  decision-making. 

C.  ENDNOTES 

1.  The  Virginia  based  MSD  Company  had  a  supporting  role  on  the  EDS 
Product  Assurance  team  and  the  testing  included  network  WAN/LAN/server 
performance,  information  assurance  testing  and  customer  support  process  verification. 
Using  hardware  and  software  test  tools  the  company  technicians  measured  voice,  video, 
data,  and  imagery  networks’  fidelity  and  performance.  The  focus  was  to  deliver  a 
complete  understanding  of  traffic’s  effect  on  system  latency,  response  time,  throughput, 
and  jitter. 


Figure  22:  The  Initial  Testing  of  NMCI,  from  www.msdinc.com  (NMCI  Initial  Testing), 
accessed  February  2004 
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2.  DoD  has  defined  three  types  of  architectures:  operational,  technical,  and 
system.  A  technical  architecture  is  a  set  of  rules  or  "building  codes"  that  are  used  when  a 
system  engineer  begins  to  design/specify  a  system.  These  rules  consist  primarily  of  a 
common  set  of  standards/protocols  to  be  used  for  sending  and  receiving  information 
(information  transfer  standards  such  as  Internet  Protocol  suite),  for  understanding  the 
information  (information  content  and  format  standards  such  as  data  elements,  or  image 
interpretation  standards)  and  for  processing  that  information.  It  also  includes  a  common 
human-computer  interface  and  "rules"  for  protecting  the  information  (i.e.,  information 
system  security  standards).  The  JTA  is  a  document  that  mandates  the  minimum  set  of 
standards  and  guidelines  for  the  acquisition  of  all  DoD  systems  that  produce,  use,  or 
exchange  information.  The  applicable  mandated  standards  in  the  JTA  are  the  starting  set 
of  standards  for  a  system  and  additional  standards  may  be  used  to  meet  requirements  if 
they  are  not  in  conflict  with  standards  mandated  in  the  JTA.  The  JTA  is  mandatory  to  be 
used  by  anyone  involved  in  the  management,  development,  or  acquisition  of  new  or 
improved  systems  within  DoD.  (www.jta.disa.mil  (Frequently  Asked  Questions  Section), 
accessed  February  2004) 
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III.  DATA  COLLECTION 


A.  PROGRESS  OF  THE  NMCI  CONTRACT 

A  draft  report  of  the  fiscal  year  2003  Defense  Appropriations  bill  cited  inadequate 
testing  methods  and  a  failure  to  identify  thousands  of  legacy  systems  as  lingering 
concerns  for  the  NMCI  project.  As  the  DoN  moves  closer  to  its  new  integrated  network, 
there  is  a  need  to  clean  out  thousands  of  old  applications  that  either  fail  to  meet  the 
NMCI  standard  software  configuration  or  do  not  meet  the  security  requirements  already 
established  by  the  DoD.  Concerns  were  also  related  to  the  overall  budget  of  the  program. 

1.  Historical  Context  in  the  year  2003 


The  most  appropriate  authority  to  provide  the  recent  numbers  related  with  the 


Figure  23:  Progress  of  NMCI,  from  Rear  Admiral  Chuck  Munns,  Director  of  NMCI, 


NMCI  Progress  Briefing,  at  the  NMCI  -  Industry  Symposium  17  June  2003 
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The  implementation  process  consists  of  360,000  seats  being  moved  into  the 
NMCI  in  three  stages.  The  first  step  is  the  official  order  by  the  Navy  for  a  specific 
number  of  seats.  The  next  milestone  is  when  the  Information  Strike  Force  (ISF)  assumes 
responsibility  for  the  site  (AOR).  The  final  step  is  the  seat  cutover.  The  term  “cutover” 
describes  the  point  at  which  NMCI  network  users  each  receive  a  new  desktop  computer, 
operating  system  and  software,  and  are  connected  to  the  full  network  services  of  the  new 
intranet,  including  access  to  the  legacy  applications  that  resided  on  their  previous 
workstations.  The  ISF,  the  industry  team  working  on  NMCI  under  the  lead  of  EDS,  in 
late  2002  had  assumed  responsibility  for  only  60,000  seats,  out  of  the  total  goal  of  seats. 
Congress  and  the  DoD  had  capped  the  size  of  the  network  while  testing  and  evaluations 
were  done,  but  in  the  end  analysis  of  the  results  from  four  months  of  testing  and  EDS’ 
demonstrated  ability  to  meet  Service  Level  Agreements  on  the  20,000  pilot  seats  clearly 
removed  all  the  barriers  and  NMCI  was  ready  to  move  to  the  next  level. 

The  Pentagon  gave  to  DoN  the  “go-ahead”  to  move  as  many  as  3 10,000  Navy  and 
Marine  Corps  IT  users  to  the  newly  built  network  in  the  beginning  of  the  year  2003.  The 
decision  came  after  months  of  operational  testing  that  was  required  by  Congress  before  it 
would  allow  DoN  to  proceed  beyond  the  60,000  user  cap  that  it  imposed  after  concerns 
surfaced  about  the  program's  technical  feasibility  and  cost.  With  the  successful 
completion  of  the  testing  phase,  the  Navy  received  approval  to  proceed  with  all  of  the 
160,000  seats  that  had  already  been  approved  and  to  order  an  additional  150,000  seats. 
The  official  report  at  the  end  of  the  testing  phase  by  the  director  of  NMCI  concluded: 

The  results  from  four  months  of  testing  clearly  demonstrated  that  the 

NMCI  is  ready  to  move  to  the  next  level 

Rear  Admiral  Charles  L.  Munns,  U.S.N.,  Director  of  Navy  Marine  Corps  Intranet. 

However,  the  “go-ahead”  decision,  at  the  beginning  of  2003,  did  not  mean  that  the 
program  had  finally  achieved  a  satisfactory  seat  delivery  pace.  During  the  2nd  quarter  of 
2003,  progress  was  made  but  the  cutover  numbers  were  not  adequate  enough  and  there 
was  still  a  long  way  towards  the  end  state.  The  situation  could  be  summarized  as: 

•  Number  Sites  Active  -  300 

•  Seats  in  AOR  -  210,000 
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•  Seats  Cutover  -  Less  than  80,000 

•  Significant  number  of  dual  desktops  in  place  (24%  of  total-  Too  High) 

•  Facilities  in  place  and  Capacity: 

o  3  Network  Operations  Centers  (Only  two  fully  operational) 

o  2  Help  Desks  (With  minimal  “hands  on”  experience) 

o  24  Server  Farms  (Unclassified)-  263  Terabyte 

o  7  Server  Farms  (Classified)-  41  Terabyte 

With  a  simple  comparison  with  the  pre-planned  end  state,  the  implementation  pace 
appeared  again  sluggish. 


NIN/ICI  End  State  Overview 

4  Network;  Operations  Centers 
2  Call  Centers 

3 3  Server  Farms  (Unclass) 

—  ~  782  Terabit  Capacity 
20  Server  Farms  (Class) 

—  ~  188  Terabit  Capacity 
8-4  Micro  Server  Farms 

1  000+  Active  Customer  Sites 
1  7  Overseas  Sites 


Figure  24:  NMCI  End-State 


Figure  25:  Cumulative  Seat  Implementation  after  the  2nd  Quarter  of  the  Year  2003 
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EDS:  NMCI  Contract  Update 
(Deployment  Schedule) 

2003  Call  Update 

JZW 


345 


|  ■  Cutover  ■  APR  | 


171 


103 


J- 


72 


jt&r 
241  I 

■ 

95 


2  68 


Orders 


Dec  '02 

95K 


Mar 

231 K 


Jun 

292K 


Sep 

■  300K 


Dec  "03 

~  350K 


345 


345 


Mar  "04 

~  350K 


•  Deployment  Schedule:  orders  on-track,  AOR’s  lagging 

•  Key  Milestones:  Testing  Requirements 

•  Operations  Evaluation  . . .  stress  on  testing  . . .  achieve  or  adjust  timeframe? 

figure  26:  NMCI  Progress  and  Main  Concerns,  from  EDS  Profits  Review  for  the  Year 
2003 


But  EDS  revised  the  Enterprise  Deployment  Rollout  Plan  (EDPP)  at  the  time  in 
place  and  accelerated  the  deployment.  As  of  the  2003  fall,  the  ISF  had  responsibility  for 
approximately  300,000  seats,  with  more  than  107,000  seats  moved  to  the  cutover  stage. 
Three  network  operation  centers  are  currently  fully  operational  in  San  Diego;  Oahu, 
Hawaii;  and  Norfolk,  Virginia.  An  additional  network  operations  center  also  is  in  the 
process  of  being  set  up  at  the  U.S.  Marine  Corps  base  in  Quantico,  Virginia,  therefore 
completing  the  required  numbers  of  NOCs  and  indicating  progress  within  the  USMC’s 
portion  of  NMCI  that  had  been  put  on  hold  by  Congress  until  the  completion  of  the  first 
increment  of  the  Intranet’s  tests.  Help  desks  are  in  place  in  Norfolk  and  San  Diego,  with 
complete  functionality  and  automated  tools  are  deployed  to  increase  performance.  The 
current  number  of  Navy  and  Marine  Corps  seats  that  are  now  under  ISF  control  has 
improved  significantly. 

Snapshot  27  FEB  04 
Seats  in  AOR  303,369 
Seats  Cut  Over  160,175 

Table  4:  Current  NMCI  Implementation  Numbers,  from  www.nmci.navy.mil  (NMCI 
Now),  accessed  February  2004 
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B. 


IT  SUPPORT  AVAILABLE  THOUGHT  NMCI 


Figure  27:  Total  Cost  of  Ownership  (TCO)  within  the  Seat  Management  Framework, 
from  the  BCA  for  the  NMCI,  p.23 


The  NMCI  approach  of  a  single  private  sector  entity  providing  IT 
services  under  a  long-term  commercial  seat  management  contract  is  a 
good  business  decision  compared  to  the  way  Naval  IT  requirements  are 
currently  provided.  In  summary,  considering  all  the  dimensions  of 
providing  the  Navy  and  Marine  Corps  war-fighters  an  optimal  IT 
infrastructure  and  supporting  network,  there  are  more  risks,  uncertainties 
and  hazards  inherent  in  continuing  to  do  business  as  usual,  versus 
supporting  basic  IT  services  via  NMCI. 

Conclusion,  included  in  the  Bussiness  Case  Analysis  for  the  NMCI. 


DoN  has  decided  that  the  requirements  of  NMCI  could  be  provided  most 
efficiently  and  effectively  by  a  single  private-sector  vendor  providing  such  IT  capabilities 
as  a  service  under  a  “seat  management"  contract.  These  type  of  contracts,  used  widely  in 
the  commercial  sector,  are  long-term  service  contracts  under  which  all  required 
enterprise-wide  IT  capabilities,  including  all  required  infrastructure,  are  provided  and 
managed  by  a  single  contractor.  The  customer  is  charged  a  fixed  price  per  user  (“seat”) 
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for  each  applicable  period  (e.g.  monthly)  throughout  the  life  of  the  contract,  provided  that 
the  contractor  satisfies  certain  established  service  levels  in  specified  performance  areas. 


The  NMCI  contract  is  in  keeping  with  the  current  federal  government  business 
trend  of  assigning  accountability  for  various  IT  services  to  one  vendor.  The  service-level 
agreements  (SLAs)  enables  DoN  to  transition  from  a  government-owned  and  -operated 
environment  to  a  purchased-service  environment  in  which  the  contractor  provides  for  the 
daily  operational  task  of  maintaining  a  robust  IT  infrastructure.  The  SLA  is  a  contracting 
tool  keyed  to  a  client's  service  performance  expectations.  This  means  that  the  client  can 
evaluate  the  performance  of  the  contractor  and  the  services  the  contractor  is  providing. 


Meeting  or  beating  the  customer’s  expectations  will  earn  the  contractor  a  financial 
reward;  failing  to  meet  expectations  results  in  the  contractor  earning  less  money  for  that 


phase  of  implementation. 


Standard  F e  ature  s 

•  Hardware 

•  Software 

•  File  Share  Services 

•  Maintenance 

•  Refreshment 

•  Administration 

•  Network  Access 

•  Customer  Support 

•  Relocation 

•  Training 


,  Additional  Services 

•  Data  Warehouse 

•  Legacy  Apps 

•  Sea/Shore  Rotation 
• OCONUS 

■  Retrain  Civilian 
.  Personnel 


Upgrades 

•  High  end  Upgrade 
J  •  Mission  Critical 
Upgrade 

_  •  Classified  Upgrade 


Figure  28:  Buying  a  “Seat”  with  the  NMCI  Contract 


The  NMCI  is  acquired  as  a  performance-based,  enterprise-wide  services  contract 
that  incorporates  future  strategic  computing  and  communications  capability  that  is 
managed  like  a  utility.  Service  will  be  paid  for,  as  it  is  delivered,  similar  to  the  concept  of 
telephone  utility  service  that  is  currently  used  in  the  commercial  U.S.  market.  The 
customer  (DoN)  chooses  from  a  list  of  basic  and  additional  or  “premium”  services  and 
pays  for  that  level  of  service  required  or  desired.  Rather  than  treating  information  systems 
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as  products  that  must  be  developed,  maintained  and  upgraded  in  house,  the  Navy  is 
“utilizing”  commercial  experts  to  provide  the  equipment,  training,  expertise  and  support 
as  a  service  package  for  a  set  cost  per  user. 

The  NMCI  contractor  must  support  a  mix  of  large,  medium,  and  small  sized 
activities  with  dissimilar  business  functions.  To  make  this  task  feasible,  the  contractor  is 
expected  to  leverage  economies  of  scale  by  developing  standardized  hardware  and 
software  platforms,  as  well  as  consolidating  services  within  the  same  geographical 
location.  Each  computer  that  is  connected  in  the  NMCI  is  described  under  the  term 
“seat”,  while  users  have  the  ability  to  access  the  network  from  any  type  of  seat  available 
to  them  and  not  just  from  their  “private”  desktop. 


CLIN 

TITLE 

OOOIAA 

Fixed  Workstation  -  Red  Seat  -  $2958.12  per  year.  Pentium  HI  800MHz  Provides 
performance  for  use  with  2-D  and  light  3-D  graphics  or  engineering-related  applications, 
applications  that  require  additional  processing  capability. 

000 1AB 

Fixed  Workstation  -  White  Seat  -  $2863.68  per  year  Pentium  III  733MHz  Ideal  for  the 
typical  user  of  Microsoft  Office  Professional  software. 

0001  AC 

Fixed  Workstation  -  Blue  Seat  -  $2788.08  per  year  Celeron  566MHZ.  Provides  adequate 
performance  for  daily  office  productivity  applications.  Ideal  for  administrative  functions. 

0001 AD 

Fixed  Workstation  -  Thin  Client  -  $2335.92  per  year 

0002 

Portable  Seat  -  $3699.00  per  year.  Dell  Lattitude  C600.  Provides  excellent  performance 
for  office  productivity  software.  Supports  users  needing  remote  access  to  NMCI.  Makes 
high-quality  presentations  while  on  travel. 

Actual  Hardware  Changes  with  Commercial  Market  Pace, 

NMCi  Price  Remains  Fixed 

figure  29:  CLINs  establishing  the  description  of  “Seats”,  from  the  first  version  of  the 
NMCI  contract 


NMCI  is  by  far  the  largest  seat-management  contract,  and  it  includes  not  only  the 
introduction  of  seats  but  also  the  supporting  infrastructure  on  the  bases  and  all  the 
connectivity  between  and  among  any  type  of  Naval  installation  ashore.  Consolidating 
network  management  functions  under  the  network  operations  centers  (NOCs),  aims  to 
allow  better  management  and  utilization  of  security  resources,  configuration  management 
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and  network  performance  monitoring  capabilities.  Service  desk  functions  will  also  be 
centralized,  to  provide  more  efficient  “one-stop”  support  to  end-users.  In  other  words, 
this  is  an  end-to-end,  total  service  being  ordered  by  the  DoN. 

1.  Hardware  Performance  and  Upgrades 


KEY  SYSTEM  FEATURES 


Processor 

Memory  Storage 

Monitor 

HIGH-END 

Highest  speed  shipped  in 
Opti  line  in  volume  (cum. 
vol .  >  1 0k  units) 

80th  Dercentile  shioDed  w 1  Dell  oetformance  Ooti 
systems 

Same  as  RED  seat 

RED 


80th  percentile  of  ALL 
Opti  systems 


80th  percentile  shipped  w/  Dell  mainstream  Opti  systems 


WHITE 

Next  best  performance  level  below 

RED  seat 

Processor  speed 

Memory  quantity 
(typically  one-half) 

Disc  quantity 
(same  drive  speed  it  avail  .) 

Same  as  RED  seat 

BLUE 

80th  percentile  of  ALL 
Opti  INTEL  value  chipset 
systems 

80th  percentile  shipped  w/  Dell  value  Opti  systems 
(not  exceeding  WHI TE  seat  perform  anos) 

Same  as  RED  seat 

Figure  30:  Seat  Division  within  the  NMCI  Contract 


Performance  of  the  hardware  used  is  correlated  with  the  importance  of  the 
functionality  required  and  mission  supported  by  the  end  user.  Dell  Company  is  providing 
complete  IT  systems  for  NMCI  according  to  the  above  technology  insertion  matrix  in 
order  to  ensure  adequate  technology  refresh.  Dell  is  also  partly  responsible  for 
installation  accuracy.  The  ISF  provides  Dell  with  a  load  set  to  install  on  each  machine 
equipped  with  Microsoft  Windows  2000  and  Office  2000.  When  the  systems  arrive  at  the 
Navy  and  Marine  Corps  sites,  they  are  pre-configured  and  NMCI-certified.  Upgrades, 
modernization,  and  technology  refreshment  will  occur  over  the  NMCI  contract  life  cycle. 

2.  Software 

Standardized  operating  system  (OS)  and  application  packages  are  supported  by 
NMCI  through  the  use  of  COTS  products  to  every  possible  extend,  although  some 
modification  to  the  standard  application  packages  may  be  necessary  depending  upon 
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unique  DoN  requirements.  Software  platforms  are  required  to  be  within  one  year  of  the 
current  service  pack  or  major  release.  Client  applications  include  e-mail  capability, 
NIPRNet/Internet  connectivity,  database  functions,  spreadsheets,  graphics  and  word 
processing  functions,  anti-virus  software,  and  calendar  applications. 

Additionally,  the  number  and  functions  of  servers  should  also  be  consolidated, 
eliminating  redundant  platforms  in  order  to  optimize  maintenance  and  support  processes 
and  provide  the  high  level  of  service  as  designated  by  the  SLAs.  The  application  servers 
must  be  fully  integrated  with  the  workstation  environment  and  processes  facilitating 
administrative  activity,  such  as  automated  software  distribution,  virus  inoculation, 
detection  and  repair,  should  be  present.  Network  management  capabilities  should  include 
configuration  and  change  management,  inventory  management  and  acquisition  tools, 
centralized  user  account  management,  security  functions,  life  cycle  management,  backup 
and  disaster  recovery  capabilities  and  the  ability  to  remotely  access  end  user  machines 
from  network  management  stations. 


Features 

Benefits 

Aim 

Customizable 

Help  and  Alerts 

Desktop  administrator 
customizes  online  help  based  on 
prior  history  of  help  desk 
support  calls. 

Reduces  or  eliminates  help  desk 
support  calls. 

Self-Repairing 

Applications 

Automatically  detects  and 
repairs  errors  without  a  user 
even  knowing  about  them. 

Decreases  end-user  downtime  and 
eliminates  need  to  call  help  desk. 
Reduced  peer-to-peer  support. 

Install-on-Demand 

Improves  desktop  manageability 

Fewer  custom  installations  decrease 
deployment  costs.  Reduced  help  desk 
costs  since  components  install 
automatically. 

Intelligent  User 
Interface 

Customizable  and  intelligent 
user  interface  simplifies  daily 
tasks. 

Easier  completion  of  routine  daily 
tasks 

Table  5:  Administrator’s  Software  and  Capabilities,  from  the  BCA  for  the  NMCI,  p.  75 


In  Table  C,  in  Appendix  C  there  is  the  revision  history  of  the  software  associated 
with  the  NMCI  implementation.  The  standardized  software  package  that  is  currently  in 
place  with  every  NMCI  seat  is  often  described  as  “ Gold  Disk".  The  products  full  list 
follows: 
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Gold  Disk  Contents 


GOLD  DISK  CONTENTS 

SERVICE 

SOFTWARE  DESCRIPTION 
(MINIMUM  VERSION) 

VENDOR 

Basic 


Operating  System 

MS  Windows  2000  SP3 

Microsoft 

Office  Suite 

Standard  Office  Automation  Software 
Included  on  the  Gold  Disk: 

.  MS  Word 

•  MS  Excel 

•  MS  PowerPoint 

•  MS  Access 

Microsoft 

Desktop  Management 

Diskeeper  7.0413 

Executive 

Software 

E-mail  Client 

MS  Outlook  2000 

Microsoft 

Internet  Browser 

Internet  Explorer  MS  5,5  SP-2  128bit 

Microsoft 

Virus  Protection 

Norton  AA/  Corp  Edition  v7.5 

Symantec 

PDF  Viewer 

Acrobat  Reader  v5.05 

Adobe 

Terminal  Emulator  -  Host 
(TN3270.  VT100, 
X-Terminal) 

Reflection  8.0.5  ■  Web  Launch  Utility 

WRQ 

Compression  Tool 

WinZip  v8.1 

WinZip 

Collaboration  Tool 

Net  Meeting  v3.01  (4.4.3385) 

Microsoft 

Multimedia 

RealPlayer  8  (6.0.9.450) 

RealNetworks 

Multimedia 

Windows  Media  Player  v9 

Microsoft 

Internet  Browser 

Communicator  4.76 

Netscape 

Electronic  Records  Mgmt 

Trim  Context 

Tower 

Plug-ins 


Web  Controls 

Macromedia  Shockwave  v8.0 

Macromedia 

Web  Controls 

Flash  Player  5.0 

Macromedia 

Web  Controls 

Apple  QuickTime  Movie  and  Audio  Viewer 
v  5.0 

Apple 

Web  Controls 

iPIX  v6,2,0,5 

Internet  Pictures 
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Security  Apps 


Security 

Intruder  Alert  v3.6 

Symantec 

Security 

ESM  v5.1 

Symantec 

Agents 

Software  Management 

Radia  Client  Connect  v.2.1 

Novadigm 

Inventory,  Remote  control 

Tivoli  TMA  v3.71 

IBM/Tivoli 

Remote  Connectivity  (Notebooks) 

Dial-up  connectivity 

PAL  v4.3 

MCI/WorldCom 

VPN 

VPN  Client  v4.1 

Alcatel 

Table  6:  Contents  of  the  “ Gold  Disk ”,  from  www.nmci-isf.com  (Gold  Disk  Contents), 
updated  on  the  15th  of  December  2003,  accessed  February  2004 


Because  this  thesis  will  provide  recommendations  for  the  information  security 
(INFOSEC)  and  information  assurance  (IA)  policies  [Note  1]  related  to  NMCI  in  the 
chapters  that  follow,  a  detailed  description  of  security  related  software  will  be  provided  in 
this  section.  Symantec  Corp.  has  been  awarded  a  contract  from  EDS  to  help  secure  NMCI 
in  the  early  years  of  the  contract,  in  March  2001.  Under  terms  of  the  agreement, 
Symantec  provides  a  significant  portion  of  the  security  components  including  firewall, 
virus  protection,  content  filtering,  vulnerability  assessment,  and  intrusion  detection 
solutions  to  safeguard  the  IT  services  provided.  Under  a  subcontract  from  EDS,  Raytheon 
is  responsible  for  the  overall  network  security  and  information  assurance  of  the  network. 
In  implementing  NMCI,  the  full  complement  of  Symantec  security  solutions  is  utilized. 
With  Norton  AntiVirus  at  each  desktop,  NMCI  has  automatic  protection  against  viruses 
and  other  malicious  code  as  well  as  centralized  anti-virus  policy  management  to  facilitate 
administration  and  enhance  security. 

Symantec  Intruder  Alert  version  3.6  is  a  host-based,  real-time  intrusion 
monitoring  system  built  with  the  purpose  to  detect  unauthorized  activity  and  security 
breaches  and  respond  automatically,  if  the  case  arises.  It  includes  specialized  software 
agents  that  support  server  platforms  running  Windows  2000  and  Windows  Server  2003 
Enterprise  Edition  and  can  be  configured  to  monitor  Web  or  database  applications 
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running  on  servers.  If  Intruder  Alert  detects  a  threat,  it  will  sound  an  alarm  and  initiate 
countermeasures  according  to  the  pre-established  security  policies.  From  a  central 
console,  administrators  can  create,  update,  and  deploy  policies  and  securely  collect  and 
archive  audit  logs  for  incident  analysis.  As  a  complement  to  firewalls  and  other  access 
controls,  Intruder  Alert  enables  the  development  of  precautionary  security  policies  that 
prevent  expert  hackers  or  authorized  users  with  malicious  intent  from  misusing  systems, 
applications,  and  data.  The  focus  is  on:  rwww.symandec.com  (Intruder  Alert),  accessed 
February  2004) 

•  Monitoring  systems  and  networks  in  real  time  in  order  to  detect 
and  prevent  unauthorized  activity 

•  Enabling  the  creation  of  customizable  intrusion  detection  policies 
and  responses 

•  Enforcing  policy  with  the  automatic  deployment  of  new  policies 
and  updated  detection  signatures 

•  Delivering  network-wide  responses  to  security  breaches  from  a 
central  management  console 

•  Providing  audit  data  for  incident  analyses  and  generating  graphical 
reports  for  both  host  and  network  intrusion  detection  activity 

•  Complementing  firewalls  and  other  access  control  systems  with  no 
impact  on  network  performance 

Intruder  Alert  has  the  aim  to  enhance  the  control  over  systems  with  policy-based 
management  that  determines  which  systems  and  activities  to  monitor  and  what  actions  to 
take,  as  well  as  with  real-time  intrusion  detection  reports  for  both  host  and  network 
components.  Administrative  wizards  perform  many  routine  tasks  and  silent  installation 
and  remote  tune-up  capabilities  make  it  easy  to  deploy  and  maintain  the  system.  Intrude 
Alert  ingrates  with  the  Symantec  Enterprise  Security  Manager™  (ESM). 

Symantec  ESM  is  an  automation  tool  for  the  discovery  of  security  vulnerabilities 

and  deviations  of  the  security  policy  in  mission  critical  e-business  applications  and 

servers  across  the  whole  enterprise  from  a  single  location.  It  provides  enterprise-class 
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tools  that  allow  administrators  to  create  security  baselines  for  every  system  on  the 
network  and  measure  performance  against  those  baselines  to  ensure  that  devices  are 
properly  configured  and  being  used  in  accordance  with  policies.  With  the  appropriate 
tools,  administrators  can  quickly  and  cost  effectively  create  and  manage  online  security 
policies  and  user-defined  security  domains,  identify  systems  that  are  not  in  compliance, 
and  correct  faulty  security  settings  on  systems  at  any  location  to  bring  them  back  into 
compliance. 

Because  Symantec  Enterprise  Security  Manager  integrates  with  the  Symantec 
Security  Management  System,  it  can  also  leverage  advanced  management  capabilities 
that  provide  improved  overall  security  posture.  Within  the  framework  of  the  Symantec 
Security  Management  System,  policy  compliance  data  collected  and  analyzed  by  ESM 
can  be  correlated  with  security  event  data  from  a  multitude  of  sources,  including 
firewalls,  intrusion  detection  systems,  and  vulnerability  assessment  products.  And,  the 
central  logging,  alerting,  and  reporting  functions  of  the  Symantec  Security  Management 
System  can  be  combined  with  the  correlation,  risk  prioritization,  and  management 
capabilities  of  Symantec™  Incident  Manager  to  build  a  holistic,  proactive  security 
system.  This  enables  organizations  to  respond  rapidly  to  incidents,  contain  and  eradicate 
threats  faster,  and  utilize  the  full  potential  of  their  security  systems.  Key  features  include: 
(www.symantec.com  (Enterprise  security  Products),  accessed  February  2004) 

•  Large  number  of  specific  security  checks  to  help  ensure  that  mission- 
critical  information  systems  comply  with  an  organization's  security 
policies. 

•  Easy  retrieval  and  deployment  of  security  updates  with  Live  Update 
™technology. 

•  Integration  with  other  Symantec  Security  Management  System  products  to 
ensure  a  more  holistic  understanding  of  security  risks  and  priorities. 

•  Measurement  and  reporting  on  compliance  with  industry  standards  and 
government  regulations. 

•  Wide  platform  and  application  coverage. 
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•  Customizable  security  policy  support. 

•  Focuses  on  proactive  security  to  ensure  the  maintenance  of  business 
operations. 

3.  Services  Provided 

The  NMCI  offers  the  required  IT  services  under  the  framework  of  a  single 
network,  which  is  easier  to  manage  and  more  secure,  and  enables  military  personnel  to 
focus  on  their  defense  mission  rather  than  information  technology  acquisition  and 
support.  A  breakdown  of  the  current  data  seat  services  within  NMCI  is  shown  in  Figure 
31: 


Data  Seat 
Types 


Fixed  WS 


/ 

s  i 


Laptop 


Embarkable 

WS 


Embarkable 

Portable 

Wall  Plug 
Hybrid  . 


Standard  Services 

■  STD  office  automation  software 

•  Scan  services 

■  E-mail  services 

•Facsimile  services 

•  Directory  services 

•  NMCI  access 

•  File  share  services 

•  NIPRNET  access 

■  Web  access  services 

•  Internet  access 

•  Newsgroup  services 

•  Mainframe 

access 

•  Multimedia  capabilities 

•  Desktop  access 

to  legacy  apps. 

•  Print  services 

•  Usertraining 

•  Copy  services 

•  Non-secure  RAS 

High  End  (includes  Standard  Services) 

1  High  bandwidth  ■  CPU  intensive  processing 


Mission  Critical  (includes  Standard  Services ) 

1  High  availability  •  Greater  level  of  real-time 

operations 


ISP-like  service 
No  hardware  provided 
Security  access  to  SIPRNET 
option 


is  an 


Hybrid  Seat 

•  Standard  software  suite 
■  Requested  by  Reservists 
and  others  requiring  remote 


Hardware 

and 

Performance 


use 


Data  Seat  Options 

'  Secure  Remote  Access  Server  (RAS)  •  Organizational  Messaging 
1  Collaborative  services/planning  *VTt 

1  Workflow  management  *  Industry  partner  access 

1  Instruction  access  •  Optional  end  user  applications 


Security 


Applications 
y  and 
Productivity 
Features 


Figure  31:  Breakdown  of  Data  Seat  Services 
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The  domain  of  NMCEs  “Basic  Services”  includes  the  following: 

•  Security  services  (firewalls,  intrusion  detection,  encryption) 

•  WAN  access  (DISN,  Commercial  WAN,  internet) 

•  Infrastructure  (Voice  video,  &  data  transport) 

•  Joint  and  industry  network  interoperability 

•  Pier  services  (connectivity,  NOC/JFTOC  interface) 

•  Enterprise  functions  (Help  Desk/Tech  support) 

•  Network  management  services 

•  Desktop  hardware  (standard,  high-end,  and  laptop) 

•  Desktop  software  (standard  software  suite) 

•  Organizational  messaging  (AUTODIN,  Defense  Message  System  (DMS)) 

•  Training 

•  Directory  services 

•  E-mail 

•  Remote  telephone  access 

•  Domain  name  service 

•  Help  Desk/Tech  support 

•  LAN  (building  LANs) 

•  System  management  services 

•  Telephony  -  Switched  telephone  networks 

•  Telephony  to  the  desktop 

(Navy  Marine  Corps  Intranet  Site  Deployment  Guide  Version  1.2,  07  March 
2003,  p.  40) 
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c. 


NMCI  SECURITY  AND  INFORMATION  ASSURANCE  POLICIES 

The  NMCI  security  policy  supports  the  five  fundamental  information  assurance 


elements  (confidentiality,  integrity,  availability,  authentication  and  non-repudiation)  and 
establishes  how  the  NMCI  will  manage,  protect,  and  distribute  sensitive  information.  The 
directive  case  (DC)  security  policy  statements  are  derived  from  the  appropriate  DoD  and 
DoN  IT  directives  and  instructions  to  which  the  NMCI  must  adhere  by  virtue  of  its 
existence  as  a  DoN  information  system. 


NMCI  complies  with  DISN  security  policy  and  DISA  requirements  for 
connection  to  the  SIPRNET.  Security  services  provided  for/within  the  NMCI  implement 
Computer  Network  Defense  (CND)  initiatives  such  as  Information  Operations  Condition 
(INFOCON)  directives  and  Information  Assurance  Vulnerability  Alert  (IAVA)  notices, 
and  effort  is  made  to  integrate  within  the  existing  DoD  and  remaining  of  DoN  CND 
infrastructure.  Preference  is  given  to  COTS  IA  and  IA-enabled  IT  products  evaluated  and 
validated,  as  appropriate,  in  accordance  with  one  of  the  following: 


•  The  International  Common  Criteria  for  Information  Security  Technology 
Evaluation  Mutual  Recognition  Arrangement 

•  The  National  Security  Agency  (NSA)/National  Institute  of  Standards  and 
Technology  (NIST)  National  Information  Assurance  Partnership  (NIAP) 
Evaluation  and  Validation  Program 
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The  NIST  Federal  Information  Processing  Standard  (FIPS)  validation 
program 


(NMCI  Contract  N00024-00-D-6000,  (Conformed  Contract  P00080),  Attachment  5,  p.7) 


1.  A  Brief  Introduction  into  Public  Key  Infrastructure  (PKI) 

PKI  is  a  set  of  standards  for  applications  that  use  encryption  and  is  often  called 
trust  hierarchy.  It  is  a  system  of  digital  certificates,  Certificate  Authorities,  and  other 
registration  authorities  that  verily  and  authenticate  the  validity  of  each  party  involved  in  a 


Web  transaction.  Public  Key  Infrastructure  (PKI)  is  the  term  generally  used  to  describe 
the  laws,  policies,  standards,  and  software  that  regulate  or  manipulate  digital  certificates 


PKI  Key  Pairs 


Key  pairs  generated  at  the  same  time 


Private  Key 


HW 


*=■ : «***• 


Key 


Protected  by  owner 
Used  to  sign  messages 
Used  to  decrypt 
messages 
Kept  in  physical 
possession  of  owner 


Distributed  freely  and 
openly 

Used  to  verily  signatures 
Used  to  encrypt  messages 
Kept  in  individual  public 
key  " certificates’' 


Figure  34:  Private  and  Public  Keys 


The  DoD  introduced  PKI  with  the  following  capabilities  in  mind: 

•  Secure  Unclassified  E-mail  (Sign,  Encrypt  and  Decrypt)  using  digital 
certificates. 

•  Certificate -Based  client-server  “Mutual”  Authentication 

•  Certificate -Based  Authentication  to  Unclassified  Web  Applications 

•  Secure  Encrypted  Communications/Transactions  Between  Client  and  Web 
Servers  Using  SSL 

•  Certificate -Based  Network  Logon 

The  digital  certificate  is  simply  an  attachment  to  an  electronic  message  used  for 
security  purposes.  The  most  common  use  of  the  certificate  is  to  verify  that  a  user  sending 
a  message  is  who  he  or  she  claims  to  be,  and  to  provide  the  receiver  with  the  means  to 
encode  a  reply.  An  individual  wishing  to  send  an  encrypted  message  applies  for  a  digital 
certificate  from  a  Certificate  Authority  (CA).  The  CA  issues  an  encrypted  digital 
certificate  containing  the  applicant's  public  key  and  a  variety  of  other  identification 
information.  The  CA  makes  its  own  public  key  readily  available  through  print  publicity 
or  more  commonly  on  the  Internet. 

Generic  COTS  PKI  Architecture 


Figure  35:  PKI  Architecture 
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The  recipient  of  an  encrypted  message  uses  the  CA's  public  key  to  decode  the 
digital  certificate  attached  to  the  message,  verifies  it  as  issued  by  the  CA  and  then  obtains 
the  sender’s  public  key  and  identification  information  held  within  the  certificate.  With 
this  information,  the  recipient  can  send  an  encrypted  reply.  The  most  widely  used 
standard  for  digital  certificates  is  X.509. 


Public  Key  Cryptography:  RSA  and  X509 


Certificate 

Authority 


Alice's  Certificate 
(Certified  “Public”  Key) 
Accessible  by  Anyone 


Proposed  “Public”  Key 
and  Identity  Proof  Via 
Trusted  Path 


Public  Distribution  Methods 
for  Certified  “Public”  Keys 
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Pair  Generation  Entity 


“Private”  Key 
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Asymmetric  Keys  Eliminate  Need  for  Pair-Wise  Shared  Secrets 


Figure  36:  Public  Key  Cryptography 

Within  the  NMCI,  a  PKI  certificate  is  an  electronic  “document”  officially  linking 
a  user’s  identity  with  his/her  Public  key.  There  are  three  types  of  PKI  certificates: 


•  Identity:  Digitally  sign  documents  or  electronic  forms.  Also  used  to 
authenticate  the  user  to  specific  applications. 


•  E-mail  Signature:  Digitally  sign  e-mails 


•  E-mail  Encryption:  Digitally  encrypt  e-mail  messages 

(NMCI  Public  Key  Infrastructure  (PKI)  User  Guide,  2nd  July  2003,  p.  2) 

The  driver  for  the  approach  to  implement  DoN  wide  infrastructure  to  support  PKI 
is  to  enhance  the  security  posture  of  NMCI  through  the  use  of  the  already  PKI  posture 
established  by  DoD  to: 


•  Enable  end  user  cryptographic  logon  to  NMCI 
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•  Enable  client  authentication  to  private  DoD  websites 

•  Digitally  sign  all  e-mail  messages  originated  from  Mission  Assurance 
Category  (MAC)  I  and  MAC  II  systems,  as  well  as  all  e-mail  messages 
where  the  sender  or  recipient  requires  data  integrity  and/or  non¬ 
repudiation. 


•  Encrypt  Private  and/or  Sensitive  But  Unclassified  e-mail. 

2.  Understanding  Secure  Socket  Layer  (SSL) 

The  Secure  Sockets  Layer  (SSL)  is  a  commonly  used  protocol  for  managing  the 
security  of  a  message  transmission  on  the  Internet.  [Note  2]  SSL  uses  a  program  layer 
located  between  the  Internet's  Hypertext  Transfer  Protocol  (HTTP)  and  Transport  Control 
Protocol  (TCP)  layers.  SSL  is  included  as  part  of  both  the  Microsoft  and  Netscape 
browsers  and  most  Web  server  products.  Developed  by  Netscape,  SSL  also  gained  the 
support  of  Microsoft  and  other  Internet  client/server  developers  as  well  and  became  the 
de  facto  standard  until  evolving  into  Transport  Layer  Security.  The  “sockets”  part  of  the 
tenn  refers  to  the  sockets  method  of  passing  data  back  and  forth  between  a  client  and  a 
server  program  in  a  network  or  between  program  layers  in  the  same  computer.  SSL  uses 
the  public-and-private  key  encryption  system  from  RSA,  which  also  includes  the  use  of  a 


digital  certificate.  (www.Searchsecurity.com  (SSL  Definition),  accessed  February  2004) 


How  SSL  works 

These  are  the  steps  an  SSL  server  goes  through  to 
authenticate  a  user.  _ 

Q 

Q - ^  I  The  server  validates  the  user's  digital  signature 

wit  lit  he  public  key.  The  server  then  cheeks  fertile 
certificate's  enpiral  ion  date.  If  current  time  and 
date  are  off.  the  process  stops. 


demote  user  contacts 
corporate  or  service 
provider  SSL  server. 


(Jaer 


SSL  server 


^"fcach  SSL  server  main  tains  a  list  of  trusted  certificate  authorities.  The  server 
compares  the  public  key  from  the  CA  to  validate  the  digital  signature.  If 
information  has  changed  or  public  and  private  keys  don't  match,  the  process 
ends,  if  everything  matches,  the  user  can  access  resources. 

SOURCE  NETSCAPE 

Figure  37:  How  SSL  Works,  from  the  Netscape  Corp. 
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3.  Defense  in  Depth  Strategy 

NMCI  employs  a  defense-in-depth  (DiD)  strategy  to  mitigate  the  risk  associated 
with  a  single  point  of  failure.  Available  protection  technologies  are  employed  in  a  layered 
system  of  defenses.  To  this  end,  attacks  directed  against  systems  within  NMCI’s  defined 
network  boundaries  are  met  by  a  series  of  protection  mechanisms  including,  but  not 
limited  to,  encryption,  intrusion  detection  systems,  access  control,  user  identification  and 
authentication,  malicious  content  detection,  audit,  physical  and  environmental  controls. 
Use  of  these  mechanisms  is  intended  to  mitigate  inherent  system  vulnerabilities  and 
counter  potential  threats.  The  number  and  type  of  defense  mechanisms  used  in  each 
boundary  layer  is  a  consequence  of  the  protective  qualities  of  the  device  and  the  assigned 
value  of  the  infonnation  within  the  protected  enclave. 

Content  security-checking  mechanisms  to  scan  for  malicious  code  are 
implemented  via  the  NMCI  approach  for  all  connecting  networks,  systems  and 
subsystems.  All  NMCI  information  systems  are  monitored  to  detect,  isolate,  and  react  to 
intrusions,  disruptions  or  denials  of  services,  or  other  incidents  that  threaten  the  security 
of  the  network.  NMCI  shall  follows  an  enterprise-wide  IA  architecture  that  implements  a 
DiD  approach  to  incorporate  multiple  protection  schemes  at  different  levels  to  establish 
and  maintain  an  overall  acceptable  IA  posture  across  the  NMCI. 

These  boundaries  are: 

•  Boundary  1 :  Logical  Boundary  between  NMCI  and  External  Networks. 

•  Boundary  2:  Logical  Boundary  between  NMCI  and  Communities  of 
Interest  (COIs).  These  COIs  could  be  at  Metropolitan  Area  Network 
(MAN)/Base  Area  Network  (BAN)/Local  Area  Network  (LAN)  level,  or 
between  different  organizations  or  functional  groups. 

•  Boundary  3:  Logical  Boundary  between  COIs  and  Host  level  I. 

•  Boundary  4:  Final  Layer  of  Defense:  Application/Host  Level. 

Corresponding  to  the  discussion  of  boundaries  within  the  NMCI  is  a  distinction  of 
layers  of  defense  implemented  as  part  of  DiD  strategy. 


77 


•  Layer  0:  Demilitarized  Zone  (DMZ).  Communication  between  the  NMCI 
and  public  networks  that  is  not  afforded  the  same  degree  of  protection 
provided  by  an  integrated  network  security  suite. 

•  Layer  1:  External  boundary  level  protection.  Communication  provided 
between  the  NMCI  and  external  networks  such  as  NIPRNet/INTERNET 
or  SIPRNet. 

•  Layer  2:  Communication  internal  to  the  NMCI. 

•  Layer  3:  Communication  within  COIs  in  the  NMCI  without  the  use  of  a 
Virtual  Private  Network  (VPN) 

•  Layer  4:  Communication  within  COIs  in  the  NMCI  with  the  use  of  VPN 

•  Layer  5:  Application/Host  Level 


Layer  ll-DVIZ:  Access  to  public  networks  without  full  integrated  security  suite 


Ligure  38:  NMCI  Layered  Defense,  from  the  NMCI  Contract  N00024-00-D-6000, 
(Conformed  Contract  P00080),  Attachment  5,  p.6) 


Because  government  and  especially  military  networks  pose  an  attractive  target 
and  are  attacked  constantly,  the  NMCI  must  be  fully  prepared  to  respond.  Under  the 
NMCI  and  along  with  the  increased  security  approach,  DoN  will  have  total  visibility  of 
the  operational  network  for  both  setting  strong  procedures  to  detect,  respond  and  guard 
against  outside  attack  and  ensuring  information  assurance  for  every  user. 
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D.  SUMMARY  AND  CONCLUSIONS  FOR  THE  CURRENT  STAGE  OF  THE 

NMCI  IMPLEMENTATION 

1.  The  Current  Progress  of  Seats  Delivered 

Now  entering  its  fourth  year  of  implementation,  the  NMCI  program  has 
experienced  a  rather  difficult  start  and  unexpected  squalls  in  its  adaptation  of  commercial 
processes.  The  obvious  conclusion  from  the  figures  related  with  the  NMCI 
implementation  is  that  the  total  numbers  of  seats  that  have  achieve  the  “cut-over”  under 
the  NMCI  environment  up  to  now,  is  still  not  enough  to  deliver  the  full  NMCI  promise  to 
the  end-users. 

The  financial  house  of  experts  “Morgan  Stanley”  on  October  2003  issued  a  report 
on  the  NMCI  progress-  EDS’s  profitability  and  the  conclusions  related  to  the  NMCI 
effort  could  be  described  only  as  bad.  According  to  the  23-page  report,  the  analysts  gave 
the  company  less  than  a  1  percent  probability  of  meeting  current  [fourth-quarter  fiscal 
2003  and  first-quarter  fiscal  2004]  accumulated  cutover  seat  targets,  given  current 
cutover  seat  rates  averaging  290  per  day  [during  the  past  nine  months],  compared  with 
1,500  seats  per  day  required  to  achieve  its  stated  objectives  and  profitability.  The  EDS 
Corp.  attributed  the  loss  of  profits  to  the  decline  in  the  average  seat  price  based  on  the 
types  of  seats  ordered  and  expected  to  be  ordered  by  the  DoN,  as  well  as  a  reduced  period 
of  time  in  which  to  generate  seat  revenue  due  to  deployment  delays  and  associated 
incremental  estimated  operating  costs.  However,  the  report  concluded  that  the  year  2004 
could  be  a  pivotal  year  for  the  company  and  the  project,  as  EDS  will  have  ample 
opportunity  to  improve  NMCI’s  free  cash  flow  generation. 

On  the  good  news  front,  the  program  is  now  more  mature  with  the  entire 
requirements  fully  understood  and  crystallized  by  the  client.  The  team  supervising  the 
implementation  effort  has  now  enough  experience  with  the  complex  nature  of  the 
problems  involved  and  the  spiral  approach  for  seats  deployment  that  is  now  in  place 
facilitates  solving  of  technical  issues  in  a  more  coordinated  manner  than  the  previous 
linear  approach.  Additionally,  the  EDS-ISF  team  has  been  flexible  and  always  found 
ways  to  move  around  technical  difficulties.  More  important  is  that  within  the  year  2004 
DoN  is  expecting  to  complete  the  operational  evaluation  of  the  network  and  enjoy  the  full 
technical  capability  and  IT  support  by  the  ISF. 


79 


The  NMCI  progress  is  obviously  slower  than  we  had  anticipated.  Going 
forward  what  we  intend  to  do  is  separate  the  reporting  on  the  Navy 
contract  from  the  rest  of  our  operations  to  give  everybody  a  much  cleaner 
picture  of  the  base  business,  as  well  as  a  lot  of  transparency  on  the  Navy 
contract  itself. 

Michael  Jordan,  EDS  president  and  chief  executive,  commenting  the  year 
2003  economic  results  of  EDS  Corp 

EDS  officials  announced  on  the  5th  of  February  2004  that  they  would  separate  the 
company's  reporting  on  its  earnings  and  its  reporting  on  its  DoN  related  business,  because 
the  company  executives  feel  that  losses  caused  by  NMCI  aren't  reflective  of  the 
company's  overall  performance.  EDS  had  to  revise  the  NMCI  rollout  plan  in  midstream 
because  the  company  was  spending  a  lot  of  money,  time  and  effort  to  roll  out  far  fewer 
seats  than  it  had  anticipated.  The  revised  deployment  schedule,  according  to  Jordan, 
requires  that  EDS  will  write  down  deferred  construct  costs  of  $559  million. 


Decision  Pt.  2A 


Decision  Pt.  1 
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Customer  Test 
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Seats  Delivered  Seats  Working  Seats  Ordered 


Figure  39:  Current  State  of  NMCI  Seats,  Rear  Admiral  Chuck  Munns,  U.S.  Navy,  NMCI 
Director,  NMCI  Briefing,  at  the  SPAWAR  Industry  Day,  San  Diego-USA,  23ld  October 
2003 
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a.  The  NMCI  Budget 

In  order  to  evaluate  better  the  potential  cost  of  NMCI  against  a 
comparable  baseline,  the  Department  has  performed  a  Business  Case  Analysis  (BCA). 
The  “as-is”  [Note  3]  environment  identified  335,000  current  “seats”  (as  of  FY  1999) 
throughout  the  DON  and  an  average  annual  cost  of  $4,582  per  seat.  That  implied  a 
funded  base  of  support  for  NMCI-like  IT  requirements  of  at  least  $1.5  billion  annually. 
The  fiscal  2003  budget  called  for  $646  million,  based  on  adjustment  through  the  “reward- 
penalty”  model  of  the  SLAs. 

NMCI  Budget  Summary 
(in  millions  of  dollars) 


Account 

FY  2001 

FY  2002 

FY  2003 

FY  2004 

FY  2005 

Operation  &  Maintenance,  Navy 

119.6 

577.0 

679.8 

679.8 

679.8 

Operation  &  Maintenance.  Marine 
Corps 

0 

70.1 

280.5 

280.5 

280.5 

Operation  &  Maintenance.  Navy 
Reserve 

19.8 

131.3 

183.2 

183.2 

183.2 

Operation  &  Maintenance,  Marine 
Corps  Reserve 

0 

7.2 

28.4 

28.4 

28.4 

Environmental  Restoration,  Navy 

0 

.6 

.7 

.7 

.7 

Research.  Development.  Test  & 
Evaluation,  Navy 

7.0 

9.6 

9.8 

9.8 

9.8 

Military  Construction,  Navy 

0 

8.2 

9.4 

9.4 

9.4 

Family  Housing,  Navy  &  Marine 

Corps 

0 

.7 

1.0 

1.0 

1.0 

Base  Realignment  &  Closure 

0 

1.0 

l.l 

1.1 

1.1 

Working  Capital  Fund 

109.8 

248.5 

269.0 

269.0 

269.0 

Defense  Health  Program 

0 

.1 

.5 

.5 

.5 

NMCI  Total 

256.1 

1,054.3 

1,463.4 

1.463.4 

1.463.4 

Table  7:  The  NMCI  Budget  Summary,  from  the  NMCI  Report  to  the  Congress,  p.  A-3 


The  Pentagon  has  given  approval  to  the  DoN  to  seek  funding  of  $1.1 
billion  for  the  Navy  Marine  Corps  Intranet  in  the  fiscal  2004  budget,  a  markup  of  nearly 
$500  million  from  the  fiscal  2003  budget.  President  Bush  signed  on  the  24th  of 
November  2003  the  National  Defense  Authorization  Act  for  fiscal  2004,  authorizing  the 
DoD  budget  for  the  current  fiscal  year.  However,  the  federal  government's  General 

Accounting  Office  (GAO)  said  in  late  December  2003  that  sloppy  accounting  practices 
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by  the  DoD  led  to  a  $1.6  billion  discrepancy  between  two  keys  IT  budget  reports  for 
fiscal  2004.  (www.computerworld.com  (GAO  says  inaccuracies  in  2004  Pentagon  IT 
budget),  accessed  February  2004)  Topping  the  list  of  projects  with  inconsistent  budget 
figures  was  the  NMCI  program.  GAO  determined  that  about  95%  of  the  total  dollar 
difference  between  IT  budget  requests  from  the  DoN  ($58 1M)  could  be  attributed  to  the 
NMCI  initiative.  The  GAO  attributed  the  budget  discrepancies  to  what  it  called 
“insufficient  management  attention”  as  well  as  ambiguities  in  the  Defense  Department's 
internal  regulatory  processes,  including  those  for  ensuring  consistency  between  reports. 
For  those  who  are  not  convinced  about  the  NMCI  initiative  value,  conclusions  like  that  is 
the  perfect  ammunition  to  strike  back,  because  the  program  appears  over  budget. 

Major  initiatives  do  not  consistently  use  the  same  type  of  appropriations  to 
fund  the  same  activities.  To  fund  the  same  types  of  activities,  some  DoD 
organizations  used  the  research,  development,  test  and  evaluation 
appropriations,  and  others  used  the  operation  and  maintenance 
appropriations. 

Conclusion,  included  in  GAO’s  Report  Improvements  Needed  in  the 
Reliability  of  Defense  Budget  Submission  to  the  Subcommittee  on 
Terrorism,  Unconventional  Threats,  and  Capabilities,  Committee  on 
Armed  Services,  House  of  Representatives,  December  2003. 

However,  it  should  be  noted  that  it  is  crystal  clear  from  the  public 
announcements  made  by  EDS  relating  to  the  reduced  stream  of  NMCI  expected  profits 
that  the  SLA  model  works  in  favor  of  the  DoN.  Additionally,  the  fact  that  there  are  still 
discrepancies  on  budgeting  and  accounting  procedures  after  all  those  years  of  improving 
visibility  of  the  accounting  systems  is  a  proof  that  DoN  needs  NMCI  to  improve  the 
accuracy  of  its  budgetary  data  and  reporting,  because  this  IT  initiative  will  allow  network 
and  IT  infrastructure  costs  to  be  listed  as  separate  expenses,  rather  than  lumped  into 
command  operating  budgets. 

NMCI  is  a  strategic  approach  that  will  enable  the  entire  spectrum  of  DoN 
agencies  to  effectively  communicate  in  the  modern  age.  USN  and  USMC  have 
recognized  that  intranets  have  become  major  communications  tools  for  any  type  of 
activity  in  the  21st  century  and  understood  the  value  of  a  unified  network  organized  and 
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managed  at  the  Department/Enterprise  level.  NMCI  has  a  proven  Return  On  Investment 
(ROI)  for  the  DoN  and  is  expected  to  afford  significant  improvements  in  overall 
capability,  connectivity,  security  and  effectiveness  of  IT  systems,  benefits  that  are  not 
possible  to  described  through  financial  termilogy  or  easily  captured  in  a  spreadsheet 
matrix. 
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Figure  40:  NMCI  Savings  and  Other  Bennefits,  Rear  Admiral  Chuck  Munns,  U.S.  Navy, 
NMCI  Director,  NMCI  Briefing,  at  the  SPAWAR  Industry  Day,  San  Diego-USA,  23ld 
October  2003 


b.  The  Legacy  Issue  is  still  Present 

In  the  year  2002  the  main  issue  under  concern  was  to  cut  back  100,000 
legacy  applications  to  30,000.  After  the  initial  start  up,  those  30,000  remaining 
applications  underwent  evaluation  to  determine  which  are  mission  critical  and  meet 
NMCI  guidelines.  Over  time,  DoN  and  ISF  hope  to  reduce  the  legacy  number  to 
approximately  7,000  applications.  Ultimately,  the  goal  is  to  reduce  the  number  of 
applications  to  around  2,000,  but  getting  participants  in  numerous  departments  to  agree  to 
change  their  software  tools  is  a  very  complex  task.  Mission-critical  legacy  applications 
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that  do  not  meet  security  requirements  have  been  a  major  sticking  point,  but  the  Navy  and 
ISF  have  dealt  with  them  by  placing  the  seats  in  quarantine.  Old  applications  in  nearly 
one-quarter  of  the  seats  could  not  be  transferred  to  new  Windows  2000  machines,  forcing 
EDS  to  install  “dual  desktops”,  leaving  sailors  and  Marines  with  two  PCs  on  their  desks. 

Legacy  applications  are  not  pennitted  onto  the  NMCI  network  either 
because  of  security  risks  or  because  they  are  incompatible  with  the  standardized 
Windows  2000  environment.  In  2003,  the  Navy  issued  stricter  legacy  application 
guidelines  in  order  to  trim  down  the  number  further.  Under  the  directive,  only 
applications  identified  as  approved  or  allowed  with  restrictions  by  a  functional  area 
manager  can  be  retained  and  allowed  to  run  on  NMCI.  The  tougher  legacy  application 
guidelines  have  caused  some  commands  difficulty  when  their  applications  did  not  meet 
NMCI  standards,  (www.mit-kmi.com  (NMCI:  Now  for  the  Networks),  accessed  February 
2004) 

Transitional  firewalls  in  some  places  between  the  old  Navy  networks  and 
NMCI  have  been  installed  in  specific  commands.  The  intent  is  to  allow  some 
applications,  with  appropriate  security  risk  mitigation  by  NETWARCOM,  to  transmit  in 
and  out  of  NMCI  that  previously  couldn’t.  But  the  long-term  strategy  is  to  reduce  the 
number  of  applications  and  get  those  application  servers  inside  the  NMCI  enclave.  On  the 
other  hand,  some  5,000  applications  have  already  been  certified  on  NMCI. 

By  reducing  the  number  of  applications,  it  also  reduces  the  time  it  takes  to 
get  applications  NMCI  certified,  because  there  are  fewer  of  them  to 
certify.  By  the  end  of  calendar  year  [2003],  we  anticipate  EDS  will  operate 
everything  in  DoN.  By  mid-2004,  we  anticipate  completely  operating  the 
NMCI. 

Captain  Chris  Christopher,  U.S.N.  staff  director  of  the  NMCI  office 

Last  year,  DoN  turned  the  legacy  challenge  into  an  opportunity. 
Cataloging  applications  enabled  the  Navy  to  assess  and  understand  which  commands  had 
which  applications.  A  group  of  managers  was  designated  to  examine  the  applications  in 
23  functional  areas  such  as  logistics,  personnel  and  administration.  The  managers 
scrutinized  the  list  of  applications  and  determined  which  to  keep  and  which  to  delete.  As 
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of  the  1st  of  October  2003,  only  applications  on  the  functional  area  managers’  (FAM)  list 
are  allowed  on  NMCI  seats. 

c.  Cultural  Issue  and  Change  Management 

Resistance  to  change  was  another  challenge  for  the  NMCI  implementation 
effort.  Changing  the  paradigm  from  computers  as  individual  property  to  a  point  of  service 
is  a  major  shift,  and  it  has  been  an  issue  that  the  ISF  has  had  to  address  at  every  site  but 
without  any  coordinated  planning.  DoN  and  the  ISF  have  not  done  a  good  job  of 
managing  the  cultural  change  piece,  but  at  least  they  are  now  trying  to  get  better.  After 
experiencing  early  glitches  to  move  users  to  the  NMCI  environment,  the  DoN  concluded 
that  additional  training  will  help  future  users  make  a  smooth  transition  to  the  Navy's 
enterprise  network. 

The  Navy  formed  a  transition  team  last  year  to  help  commands  switch 
from  legacy  systems  to  NMCI  and  to  provide  documents  and  resources  to  users  to  help 
them  to  get  started  and  provide  helpful  hints  on  becoming  a  successful  NMCI  user. 
Training  consists  of  briefings,  introduction  of  related  Web  sites  and  information  packets, 
but  apparently  not  everyone  is  getting  the  training  they  need,  according  to  the  end  users. 
Postings  on  the  NMCI  User  Information  Web  page  provide  an  on-line  newsletter 
addressed  to  all  users  that  keeps  NMCI  users  up  to  date  with  upcoming  changes  to  the 
NMCI  environment  and  explains  significant  developments  and  events  related  with  the 
NMCI  implementation  and  operations.  Additional  recourses  and  tools  include: 

•  A  briefing  given  to  command  chief  information  officers, 
information  technology  leaders  and  command  leaders  six  months 
before  the  transition.  The  briefing  includes  a  list  of  contacts,  a 
master  glossary  of  acronyms  and  a  lengthy  presentation  on  the 
network's  ins  and  outs. 

•  A  subsequent  briefing  that  takes  place  60  to  90  days  before  the 
transition,  again  for  the  leaders  and  IT  managers  of  a  command. 

•  End  users  can  download  a  series  of  "Ready,"  "Set"  and  "Go" 
guides  and  visit  the  EDS’s  special  Web  site  about  making  the 
transition  to  NMCI,  www.nmci-isf.com  (User  Information  Main 
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Menu),  accessed  February  2004.  These  materials  explain  how 
users  should  prepare  for  NMCI  prior  to  the  installation  of  their 
NMCI  workstation. 

•  A  variety  of  information  and  electronic  guidance/advice  provided 
in  the  above  mentioned  website  supported  by  the  EDS-ISF  team. 

2.  Information  Assurance  (IA)  within  NMCI 

The  overall  strategy  of  defending  the  NMCI  and  the  information  it  contains  is 
articulated  in  the  concept  of  information  assurance  (IA),  which  overlaps  into  the  concept 
of  computer  network  defense  (CND),  and  also  includes  network  availability  and 
operational  management.  The  NMCI  network  security  policy  is  essentially  a  compilation 
of  DoD  and  DoN  information  security  policies.  This  ensures  the  new  network's 
compliance  and  compatibility  with  existing  and  proposed  DoD  network  architecture  and 
operational  procedures. 

The  NMCI  network  security  architecture  must  be  capable  of  providing  protection 
of  the  Intranet's  information  systems  and  information  content.  This  includes  the  execution 
of  IA  mechanisms  to  implement  these  security  services  and  the  conduct  of  vulnerability 
assessments  to  validate  the  necessary  controls  is  in  place  to  satisfy  NMCI  information 
assurance  requirements.  Because  NMCI  provides  services  critical  to  accomplishment  of 
the  DoN  mission,  network  design  associated  with  information  assurance  is  subject  to 
strict  compliance  with  DoD/DoN  security  policy,  government  approval  of  IA  products 
and  CND  operations. The  NMCI  security  policy  supports  all  the  fundamental  information 
assurance  elements  and  establishes  how  the  NMCI  manages,  protects  and  distributes 
sensitive  information. 

The  NMCI  system  features  five  principal  information  assurance  or  security 
properties: 

•  Availability:  Authorized  users  can  properly  access  online  information 
systems. 

•  Integrity:  Safeguard  information  or  communications  from  modification  by 
unauthorized  users. 
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•  Authentication:  A  degree  of  certainty  or  assurance  that 
information/communications  are  provided  by  authorized  sources. 

•  Confidentiality:  Only  authorized  individuals  have  access  to  sensitive 
information. 

•  Non-repudiation:  There  is  some  proof  of  sending  and  receiving 
information/communications  for  tracking/documentation  purposes. 

From  the  information  security  standpoint,  the  enforced  unifonn  standards  will 
probably  reduce  the  number  of  available  gateways  that  were  vulnerable  to  cyber  attacks 
in  the  previous  IT  environment.  NMCI  is  intended  to  be  one  worldwide,  configuration- 
managed  enterprise  network  that  meets  or  exceeds  all  DoD  standards  for  security  and 
information  assurance.  NETWARCOM  is  the  central  operational  authority  responsible 
for  coordinating  all  information  technology,  information  operations,  and  space 
requirements  and  operations  within  the  Navy.  Establishment  of  NETWARCOM  has 
better  aligned  the  various  staffs  needed  to  support  the  concept  of  one  naval  network  and 
to  support  that  network's  end-to-end  operational  management. 

The  NMCI  initiative,  by  rooting  out  vulnerabilities,  is  raising  defenses.  It  is 
providing  uniform  security  standards  and  training  for  naval  personnel  people  before  they 
use  the  network.  The  network  operations  centers  control  intranet  traffic,  and  they  can 
isolate  the  network  if  need  be.  NMCI  delivers  significant  value  as  an  asset  for  the  DoN  at 
the  enterprise  level  with  important  improvements  in  IA,  by  providing: 

•  Public  Key  Infrastructure  that  is  interoperable  with  the  DoD’s  PKI. 

Navy  and  Marine  Corps  commands  have  been  authorized  an  extension 
until  the  1st  of  April  2004  to  achieve  full  compliance  with  the  following 
DoD’s  PKI  milestones: 

o  Client  side  authentication  to  DoD  private  web  servers 
o  Digitally  signing  all  e-mail  sent  within  DoD 
o  PK-enable  web  applications  in  unclassified  environments 
o  PK-enable  DoD  unclassified  networks  for  hardware  token 
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o  Certificate  based  access  control 

o  DoN  industry  partners  obtain  DoD  approved  PKI  digital 
certificates  or  external  certificate  authority  (ECA)  PKI  digital 
certificates 

•  Strong  Authentication:  PKI  Certificates  are  stored  on  a 
cryptographic  smartcard  (in  almost  every  case,  the  DoD  Common  Access  Card) 
that  is  required  for  network  access,  no  matter  of  the  point  of  entry. 

•  Central  Security  Management:  Certification  &  Accreditation  plus 
real-time  network  operation  status  provided. 

•  Incentives  Performance  on  IA:  DoN  Teams  will  provide 
independent  assessments  of  the  security  posture  of  the  NMCI  network.  The  NMCI 
vendor  receives  a  monetary  reward  based  on  their  performance  on  these 
assessments.  Red  teams,  independent  of  the  contractor,  review  network  designs 
for  vulnerabilities  and  periodically  conduct  simulated  attacks.  If  they  breach  the 
network,  the  contractor  could  lose  as  much  as  $10  million  a  year. 


•  Defense-in-Depth:  Multiple  protection  technologies  installed  in  a 
layered  system  of  defenses. 


Figure  41:  The  NMCI  Security  Architecture. 
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E.  ENDNOTES 

1.  Information  Security  (INFOSEC)  can  be  defined  as  the  protection  of 
information  against  unauthorized  disclosure,  transfer,  modification,  or  destruction, 
whether  accidental  or  intentional.  Information  Assurance  (IA)  activities  are  defined  as 
information  operations  that  protect  and  defend  information  and  information  systems  by 
ensuring  their  availability,  integrity,  authentication,  confidentiality  and  non-repudiation. 
This  includes  providing  for  restoration  of  information  systems  by  incorporating 
protection,  detection  and  reaction  capabilities.  (Dorothy  E.  Denning  (1999).  Information 
Warfare  and  Security.  Massachusetts:  Addison  Wesley  Longman,  Inc.,  p.  40) 

2.  SSL  has  recently  been  succeeded  by  Transport  Layer  Security  (TLS), 
which  is  based  on  SSL.  TLS  is  composed  of  two  layers:  the  TLS  Record  Protocol  and  the 
TLS  Handshake  Protocol.  The  TLS  Record  Protocol  provides  connection  security  with 
some  encryption  method  such  as  the  Data  Encryption  Standard  (DES).  The  TLS  Record 
Protocol  can  also  be  used  without  encryption.  The  TLS  Handshake  Protocol  allows  the 
server  and  client  to  authenticate  each  other  and  to  negotiate  an  encryption  algorithm  and 
cryptographic  keys  before  data  is  exchanged.  TLS  and  SSL  are  an  integral  part  of  most 
Web  browsers  (clients)  and  Web  servers.  If  a  Web  site  is  on  a  server  that  supports  SSL, 
SSL  can  be  enabled  and  specific  Web  pages  can  be  identified  as  requiring  SSL  access.  By 
convention,  URLs  that  require  an  SSL  connection  start  with  https  instead  of  http. 
(www.Searchsecurity.com  (SSL  Definition),  accessed  February  2004) 

3.  The  purpose  of  the  baseline  (As-Is)  study  was  to  provide  an  assessment  of 
assets  and  services  in  place  within  all  installations  at  the  time  the  BCA  was  conducted. 
Survey  and  extrapolation  techniques  were  determined  to  be  the  best  solution  for 
estimating  the  DoN’s  “as-is”  baseline.  A  sampling  technique  was  implemented  to  gather 
a  representative  cross-section  of  data  reflecting  IT  costs  and  service  levels  in  effect. 
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IV.  ANALYSIS 


A.  THE  WAY  NMCI  IS  TESTED 

The  DoN  continues  to  try  to  identify  the  imperfections  of  NMCI  and  is  currently 
in  the  process  of  conducting  a  complete  operational  evaluation  of  the  intranet.  The 
original  plans  from  September  of  2001  described  a  series  of  linear  tests  that  resembled 
the  “ship  evaluation”  approach.  The  network  had  at  that  time  to  pass  specific  tests  before 
the  next  set  of  seats  would  be  brought  onboard.  A  critical  task  for  the  year  2004  is  the 
successful  completion  of  the  evaluation  of  NMCI  at  the  operational  level.  Unlike  the 
original  testing  plans,  the  operational  evaluation  is  not  a  "go,  no-go"  decision  and  the 
entire  network  will  be  rolled  out.  The  focus  of  the  new  evaluation  is  to  identify  weak 
points  and  provide  feedback  to  improve  performance  of  the  current  environment. 

It  is  necessary  to  briefly  examine  the  previous  testing  concepts  related  to  the 
NMCI’s  implementation.  Management  Systems  Designers,  Inc.  (MSD)  successful 
support  for  the  NMCI  Contractor’s  Test  and  Evaluation  (CTE)  phase  was  the  reason  to  be 
awarded  a  two  year  task  to  perfonn  turning-up  testing  at  all  NMCI  (large  and  major) 
command  sites  prior  to  production  turn  over,  on  the  8th  of  March  2002.  Turning-up 
testing  is  a  critical  activity  at  the  end  of  “Site  Preparation”  phase  during  the  transition 
towards  the  NMCI  and  is  a  binding  activity  according  to  the  NMCI  contract  prior  to 
declare  the  specific  site  operational,  in  order  to  validate  the  architecture  of  the 
infrastructure  built  to  support  the  operation  of  the  Intranet.  Typical  activities  within  the 
tests  included  fact-finding,  data  discovery,  function  activity  and  task  analysis,  tool 
selection,  development  and  employment.  Finally,  the  conclusions  were  derived  after  an 
extensively  detailed  architecture  analysis.  To  facilitate  the  testing  activity,  MSD  has  built 
an  enterprise  architecture  development  practice  by  applying  the  Chief  Infonnation 
Officers’  Federal  Enterprise  Architecture  Framework  (CIO-FEAF)  and  DoD’s  command, 
control,  communications,  computers,  intelligence,  surveillance,  and  reconnaissance 
(C4ISR)  frameworks,  via  selecting  the  specific  components  that  best  match  DoN 
requirements.  Feedback  from  end-users  and  modeling  tools  were  used  extensively  to 
facilitate  the  design  and  development  of  the  continuously  adjusted  testing  procedures. 
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Testing  was  conducted  at  all  seven  layers  of  the  open  system  interconnection 
(OSI)  model  and  the  network  in  question  was  stressed  to  its  limits  via  a  disciplined,  pre¬ 
configured  approach.  The  performance  test  methods  were  based  on  traffic  generation, 
interoperability  confirmation  and  on-going  network  surveillance  techniques.  The 
approach  used  was  to  assess  interoperability  and  the  effects  of  various  network 
components,  applications,  and  operating  systems’  changes  on  the  network  with  a  “holistic 
view”,  by  identifying  the  various  interdependencies. 

This  specific  structured  approach  allows  network  engineers  to  measure  network 
performance,  predict  failure,  and  analyze  recovery  accurately.  The  goal  was  to  provide 
the  data  to  understand  systems  or  network  limitations  and  to  identify  the  corrective  action 
in  a  repetitive  process,  thus  achieving  high  levels  of  network  availability.  The 
performance  measurements  should  go  beyond  simply  measuring  point  statistics.  Trend 
analysis  should  be  used  extensively  to  identify  potential  impending  problems  and 
highlights  areas  that  need  improvement. 


Figure  42:  The  MSD  Framework  for  the  NMCI  Turning-Up  Testing,  from 
www.msdinc.com,  accessed  February  2004 


MSD  used  the  approach  shown  in  figure  42  to  support  the  first  increment  of 
NMCI  evaluation  activities,  by  developing  a  detailed  test  plan  for  the  worldwide,  base 
level  and  local  area  network  testing,  as  well  as  key  enterprise  application  tests  such  as 
directory  services  and  e-mail  latency.  The  plan  involved  identifying  and  developing  an 
approach  that  is  totally  independent  of  the  NMCI  built-in  network  management  system.  It 
also  required  evaluating  performance  differences  under  varying  conditions  between 
different  WAN  carriers,  identifying  the  necessary  test  tools  and  developing  detailed 

testing  procedures  to  conduct  tests  at  the  various  NMCI  operational  sites. 

92 


A  combined  team,  with  the  necessary  DoN  and  EDS  personnel  was  responsible  to 
conduct  the  testing  activities.  An  independent  third  party  by  specific  DoD  agencies 
ensured  the  validity  of  the  results  and  the  thorough  analysis  of  the  data  collected,  made 
possible  the  acceptance  assessment  that  took  place  during  the  year  2002.  At  that  time,  the 
evaluation  involved  roughly  20,000  seats;  this  year  there  will  be  more  than  100,000.  The 
NMCI  schedule  for  the  operational  evaluation  activity  established  the  beginning  of  the 
activities  in  early  October  2003  and  the  delivery  of  conclusions  around  the  2nd  quarter  of 
2004.  The  main  idea  is  to  closely  examine  the  deployment  and  operation  of  the  network. 
Based  on  a  similar  concept  with  the  previous  tests  and  in  order  to  ensure  the  validity  of 
the  methodology,  this  new  “operational  evaluation”  will  be  conducted  by  a  combination 
of  independent  testing  teams.  MSD  has  recently  announced  the  completion  of  the 
WAN/LAN  and  Servers  (Email,  Newsgroup,  Active  Directory,  Web,  etc.)  performance 
testing  in  support  of  the  NMCI  evaluation. 

B.  EVALUATION  OF  NMCI  PERFORMANCE 

NMCI  supports  the  fulfillment  of  both  strategic  and  operational  requirements  for 
the  DoN.  Analysis  made  in  the  BCA  for  the  NMCI  concluded  that  the  pre-NMCI  DoN  IT 
environment  only  partially  exhibited  the  desired  levels  of  service  in  Network  Operations 
and  Maintenance,  Interoperability  and  Security/Infonnation  Assurance.  Achieving  the 
service  levels  specified  in  the  NMCI  contract  aims  to  resolve  these  deficiencies.  The 
NMCI’s  Performance  Measurement  Plan  is  the  approach  used  to  ensure  that  key  outcome 
measures  are  identified  and  collected  in  order  to  facilitate  the  evaluation  of  the  intranet’s 
performance  and  detennine  whether  NMCI  is  supporting  the  kinds  of  improvements  it 
was  designed  to  accomplish.  In  order  to  capture  and  analyze  the  full  picture  of  the 
network  and  whether  the  capabilities  this  IT  platfonn  offers  to  the  DoN  enterprise  are 
taken  fully  advantage  by  the  users  or  not,  the  following  strategic  perfonnance 
measurement  categories  are  used: 

•  Interoperability 

•  Security  and  Information  Assurance 

•  Service  Efficiency 

•  Customer  Satisfaction 
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•  Work  Force  Capabilities 

•  Process  Improvement 

•  Operational  Performance 

The  first  two  measures,  interoperability  and  security  and  information  assurance, 
relate  to  the  NMCI’s  supporting  role  of  the  DoD’s  Global  Information  Grid  (GIG).  The 
second  pair  of  measures,  service  efficiency  and  customer  satisfaction,  measure  the 
immediate  impact  of  the  intranet  on  the  whole  organization.  By  measuring  the  services 
provided,  the  total  cost  of  providing  services  and  making  the  customer  (end-user)  a  key 
part  of  the  process,  the  direct  impact  of  NMCI  can  be  readily  assessed.  The  last  three 
areas  of  measurement,  assure  that  the  intranet  will  be  an  integrated  portion  of  the  Navy 
and  Marine  Corps  strategic  vision,  supporting  the  principles  of  using  information 
technology  (IT)  to  support  people,  focusing  on  the  value  of  technology  and  using  IT  as  a 
force  multiplier.  (NMCI  Report  to  Congress,  30  June  2000,  p.  J-5-1) 

To  facilitate  the  establishment  of  performance  criteria,  the  combination  of 
different  perspectives  was  necessary.  It  is  necessary  for  government  programs  to  assure 
that  they  address  important  strategic  performance  objectives  in  a  measurable  way.  The 
Balanced  Scorecard  for  NMCI  is  a  DoN  process  that  is  designed  to  provide  the  Navy  and 
Marine  Corps  leadership  with  tools  to  judge  how  well  NMCI  is  supporting  the  missions 
and  strategies  of  the  Department.  Furthermore,  the  main  idea  is  not  to  simply  collect  and 
analyze  data,  but  also  use  it  to  drive  improvements  in  their  organization  and  the 
associated  programs.  The  five  different  domains  shown  in  figure  43  are  used  to  evaluate 
the  NMCI  performance  and  provide  focus  on  how  NMCI  is  supporting  strategic  goals: 


Figure  43:  Balanced  Scorecard  Perspectives,  from  www.nmci.navy.mil  (Performance 
Measures),  accessed  February  2004 
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Performance  measurement  and  review  may  be  the  weakest  link  in  today’s 
managed  services  programs.  The  relationship  between  the  customer  and  the  services 
contract  provider  needs  to  consist  of  mutual  understanding  and  cooperation.  This 
relationship  can  only  be  strengthened  when  it  is  also  based  on  independent,  accurate  and 
up-to-date  performance  measurements  and  reviews.  Therefore,  a  multidimensional 
approach  is  necessary  to  provide  the  full  picture  of  the  NMCI  performance. 

1.  Customer  Perspective 

The  first  and  most  important  component  used  in  the  NMCI  evaluation  is  the 
customer  perspective,  expressed  in  terms  of  the  NMCI’s  impact  on  the  end  user.  Specific 
targets  like  the  level  of  effort  to  access  the  offered  IT  capabilities,  including  seamless  and 
faster  handling  of  information  and  the  overall  security  level  have  been  defined  and  data  is 
collected  through  surveys  or  automated  software  tools  that  capture  statistical  details. 


Customer  Objectives  and  Definitions 


Customer  /  C4  \  /  /  C13  \ 
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4of  IT  capability  Security  J 

Objectives 

Definitions 

Measures 

C4.  Enable  faster, 
better  decision 
making 

C4.  Provide  access  to  a 
broader  range  of  more 
meaningful  information  to 
facilitate  decisionmaking 
processes 

C4.1  Survey  2014  Echelon  3  (Lag) 

C15.Universal 
availability  of 

IT  capabilities 

Cl  5.  All  DON  employees  have 
access  to  full  spectrum  of 

IT  capabilities. 

Cl 5.1%  of  DON  employees  with  NMCI  account  (Lag) 

C8.  Enhance 
information 
security 

C8.  Eliminate  network  intrusion 
by  unauthorized  personnel 
while  providing  tightly 
controlled  configuration  of 
intranet  hardware/software 

C8.3  Percentage  of  successful  penetrations  out  of 
total  detected  and  undetected  attempted 
intrusion  (Lag) 

Cl  3.  Improve 
access  to 
information  on 
demand 

Cl  3.  Easier  to  find  information 
requested  and  easierto 
gain  authorized  access. 

Cl 3.3  %  of  workforce  that  can  access  users  data 

24/7  from  any  location  (Lag) 

Figure  44:  Customer  Perspective  used  in  the  evaluation  of  the  NMCI  Performance,  from 
www.nmci.navy.mil  (Performance  Measures),  accessed  February  2004 
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2.  Stakeholder  Perspective 

NMCI  is  not  only  about  delivering  a  better  communication  capability.  The  second 
component  within  the  NMCI’s  performance  matrix  is  the  stakeholders’  perspective, 
expressed  via  the  impact  at  the  various  commands  or  even  at  the  Department-wide  level 
mission.  Main  areas  of  concern  are  the  interoperability  issue  along  with  the  adaptation  of 
improved  business  practices  and  alignment  if  necessary  with  the  commercial  sector 
practices.  The  driver  of  the  stakeholder  perspective  is  to  increase  effectiveness  of  the 
personnel  with  the  IT  support  allowing  for  reduced  manning  and  to  provide  increase 
combat  capability  to  the  DoN,  by  “utilizing”  commercial  sector  experts  to  further 
improve  and  solve  problems  of  the  associated  infrastructure. 


Stakeholder  Objectives  and  Definitions 
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Objectives 

Definitions 

Measures 

SI/2.  Improved  missior 
effectiveness  and 
combat  capability 

SI/2.  Perform  missions  and  fight 
and  deterwars  betterthan 
we  can  presently. 

SI/2.1  20%  survey  MAGTF  (Marine  Commanders), 
Navy  Battle  Group  Commanders,  and 

Echelon  3  (Lag) 

SI  3.  Supports 
adoption  of  best 
business 
practices 

SI  3.  Provides  a  networking 

infrastructure  for  easier  and  less 
costly  adoption  of  new  ways  to 
do  business. 

SI  3.1  Increased  number  of  successful  re-engineered 
business  processes  leveraging  IT  (Lag) 

S6.  Increased 
Interoperability 

S6 .  Application  and  communication 
conformity  from  desktop  to 
desktop  within  the  enterprise  and 
improved  communications 
between  DON  network  and 
external  networks. 

S6.1  Increased  access  of  internal  and  external 
users  to  network  (Lag) 

Figure  45:  Stakeholder  Perspective  used  in  the  evaluation  of  the  NMCI  Performance, 
from  www.mnci.navy.mil  (Performance  Measures),  accessed  February  2004 
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3.  Learning  and  Growth 

As  already  shown  in  Figure  43,  this  perspective  overlaps  with  all  the  other 
domains  used  in  the  NMCI  performance  evaluation.  The  main  idea  is  to  promote 
innovation  and  introduce  collaborative  tools  to  achieve  a  better  level  of  cooperation 
among  the  various  elements  of  command.  Again,  it  is  necessary  to  use  a  combination  of 
surveys  along  with  statistical  analysis  to  reach  a  measurable  result. 


Learning  and  Growth  Objectives  and  Definitions 
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Objectives 

Definitions 

Measures 

L9.  Self  sufficient,  infoimed, 
knowledgeable  users 

L9,  DON  workforce  trained  and  able  to  use 
NMCI  cap  abilities  to  get  their  jobs 
done. 

L9 1. Workforce  survey-  %  reporting  NMCI 
helps  <o  get  jot)  (lone  (Lag) 

L16.  Provide  a  growth  and 
change  culture 

L16.  A  workforce  that  uses  the  new  enterprise 
inte  (connectivity  to  prep  a  re  for  the  future 
and  collaborate  for  improvement  in 
processes  and  organizational  re¬ 
engineering 

L16.1  Workforce  survey  -  %  reporting  “ves”  Navy 
supports  a  growth  and  change  culture  (Lag) 

L12T14.  Increase  user 
efficiencies  and 
productivity  thro  ugh 
application  of  better  IT 
interface  and  tools. 

LI^M.  More  woik  in  less  time  due  to  better  IT 
interface  and  prod  activity  tools.  Fewer 
hours  spent  in  wailing  for  network  or 
system  problems  to  be  corrected  combined 
with  faster  response  time  and  enterprise 
access  to  data. 

LI  2.1  Ratio  of  people  serviced  per  IT  support 
person  (Lag) 

L7.  Workforce  trained  in 
knowledge  management 
approaches 

L7.  A  workforce  trained  to  use  the  access, 
learning,  collaboration  and  training  tools  in 
order  to  sustain  and  improve  the  core 
competencies  of  the  DON. 

L7.2  #  of  people  using  collaborative  tools  (Lag) 

Figure  46:  Learning  and  Growth  Perspective  in  the  evaluation  of  the  NMCI  Performance, 
from  www.mnci.navy.mil  (Performance  Measures),  accessed  February  2004 
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4.  Financial  Perspective 

The  financial  perspective  includes  a  variety  of  estimates  to  determine  the 
economic  value  related  to  this  IT  investment  to  include  Return  On  Investment  (ROI)  and 
ratios  used  to  describe  improvements  between  the  previous  “As-Is”  state  and  the  current 
state  under  NMCI  operation. 

Financial  Objectives  and  Definitions 
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Objectives 

Definitions 

Measures 

FI  5.  Improved  resource 
allocation 

FI  5.  More  dollars  correctly 
focused  on  core 
competencies  instead  of  IT 
service  and  infrastructure 

FI  5.1  Percent  of  applications  that  are  enterprise  vs. 
local 

F6.  Enables  business 
process  re¬ 
engineering  cost 
reduction  initiatives 

F6.  Provides  an  infrastructure 
supportive  of  re-engineering 
processes  and  legacy 
application  reductions. 

F6.2  Number  of  successful  business  process 
reengineering  initiatives  (Lag) 

FI  6.  Optimize  IT  dollars 

FI  6.  Dollars  spent  on  NMCI 
translate  into  best  value 
services  for  DON  employees. 

FI 6.1  Improved  ratio  of  service  level  per  IT 
investment  dollar  (Lag) 

Figure  47:  Financial  Perspective  in  the  evaluation  of  the  NMCI  Performance,  from 
www.nmci.navy.mil  (Performance  Measures),  accessed  February  2004 

5.  Internal  Process  Perspective 

Because  NMCI  is  implemented  under  an  “enterprise”  paradigm  it  is  also 
necessary  to  include  performance  estimates  related  to  the  overall  support  of  the  DoN 
mission  and  requirements.  The  pace  of  the  introduction  of  technology  is  monitored  along 
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with  the  necessary  refreshment  attempts.  The  specific  domain  also  captures  portions  of 
the  IA  aspect  and  especially  focuses  at  the  level  of  protection  of  the  network,  to  include 
reactions  in  case  of  intrusion. 


j  /  Improved  support  of  \  \ 

/  i  Enterprise  mission  i  \ 

J  V  Critical  processes.  J 

“,“KS  s' - -X  *■»»') 

Perspective  1  technology  j  f  111  X.  1  assurance  j 

\  /  /  Improved  response  to  \  \  J 

Champion :  i\  MeiJ)  NMCimission  A 

A.  J  \  requirements  /  \  J 

Definitions 

Measures 

11 4.  Improved  support 
of  enterprise 
mission  critical 
processes 

11 4.  Ensure  that  communications 
and  computing  resources 
necessary  to  meet  the  future 
combat  and  support  needs  of 
the  DON  are  ready  as  needed. 

114.1  Percentage  of  web  enabled  enterprise 
mission  critical  process,  (of  the  whole 
number  of  enterprise  mission  critical 
processes)  (Lag) 

16.  Provide  timely 
refresh  of 
technology. 

16.  Keeps  the  user  community  up  to 
date  with  the  state  of  the  art  in 
computer  desktop  hardware, 
networks  and  other  components. 

16.4  Time  between  new  commercial  products 
announced  and  availability  on  NMCI  service 
level  (Lag) 

111.  Improved 
response  to  new 
NMCI  mission 
requirements 

11 1 .  Anticipate  the  future  demands  for 
new  communication  and  enterprise 
computing  capabilities  and  be 
ready  with  hardware  and  services 
to  meet  the  needs. 

111.1  Reduction  in  the  cycle  time  from  user 
requirement  identification  to  service 
delivery  (Lag) 

110.  Improve 
information 

assurance 

110.  Enterprise  data  is  safe  from 
compromise  and  the  system  is 
protected  from  security  intrusions. 

110.2  Reduced  number  of  IA  incidents 
reported.  (Lag) 

Figure  48:  Internal  Process  Perspective  in  the  evaluation  of  the  NMCI  Performance,  from 
www.nmci.navy.mil  (Performance  Measures),  accessed  February  2004 

6.  Tools  to  Create  the  NMCI  Balanced  Scorecard 

The  Predicate  Logic,  Inc.,  announced  during  the  year  2003  that  its  tool 

TychoMetrics®  has  successfully  gone  through  an  extensive  evaluation  by  the  Gartner 

Group  and  Cranfield  School  of  Management  and  was  selected  to  deliver  the  NMCI 

automated  Balanced  Score  Card  (BSC).  TychoMetrics  can  run  on  any  TCP/IP  network 

with  the  objective  to  harvest  data  from  remote  globally  distributed  sites  using  the 

99 


Internet,  and  by  being  NMCI  certified,  it  runs  on  every  Navy  and  Marine  Corp  desktop 
and  provides  a  wide  variety  of  “Smart-Metrics”.  The  specific  software  application  is  not  a 
dedicated  BSC  application  but  a  tool  to  automate  metrics  collection,  derivation,  and 
visualization  of  data.  TychoMetrics®  can  be  easily  adjusted  to  support  an  IT  environment 
where  you  have  electronic  data  to  harvest  and  analyze.  The  TychoMetrics®  Tool  Suite 
uses  only  Microsoft’s  operating  system  environments.  There  are  only  two  requirements  to 
collect  data  from  any  source:  the  measurement  source  file  must  have  visibility  to  the 
TychoMetrics®  Mediator  and  the  Mediator  must  have  the  probe/  probe  agent  that 
corresponds  to  the  tool  source.  The  Mediator  is  the  behind  the  scenes  component  that 
automates  the  data  collection  process.  The  probe/  probe  agent  specifies  the  data  to  be 
collected.  The  software  tool  can  then  report  the  data  in  various  configurable  formats 
including  the  BSC.  (www.tyckometrics.com  accessed  February  2004).  According  to  the 
company,  TychoMetrics  strengths  include: 

•  Automated  data  collection 

•  Derivation  and  visualization  of  data/reporting,  data  sourcing  and 
integration 

•  E-mail  alerts  when  metrics  exceeds  upper  or  lower  control  limits  or 
thresholds 

•  Statistical  process  control  and  management  by  exception 

The  approach  of  the  BSC  is  extremely  useful  in  order  to  track  and  promote 
strategic  goals  at  the  “enterprise-wide”  level.  In  order  to  have  a  sound  approach  within  a 
service  level  contract  it  is  necessary  to  have  a  performance  measurement  system  in  place 
that  has  the  following  characteristics: 

•  Easily  maintained  and  run  by  the  customer’s  (Naval)  personnel.  A  single 
point  of  control  would  eliminate  duplicate  data  and  remove  manning 
burden. 

•  Automatic  generation  of  performance  analysis  and  change  management 
reports. 
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•  Automatic  up-to-date,  accurate  and  complete  data  about  all  computer 
hardware  and  software  assets,  and  how  and  where  they  are  deployed. 
Profiling  data  should  be  updated  on  a  regular  basis,  i.e.  daily,  so  that  the 
latest  profile  data  is  always  available  to  help  make  performance  analysis 
and  other  decisions. 

•  Easy  access  to  reports  and  data  by  both  the  customer’s  and  the  service 
provider’s  personnel,  at  any  time. 

C.  HOW  THE  SERVICE  LEVELS  ARE  MEASSURED 

1.  Establishment  of  the  NMCI  Contract  Performance  Levels 
The  performance  measures  in  the  SLAs  represent  the  current  and  validated 
operational  requirements  of  the  DoN.  The  NMCI  SLAs  evolved  from  the  pre-established 
Measures  of  Effectiveness  (MOEs)  during  the  negotiation  phase,  which  in  turn  were 
based  on  the  NMCI  Design  Reference  Mission  (DRM).  The  DRM  approach  was  used  in 
order  to  fully  define  the  user  mission  environment  and  the  general  operating  envelopes 
that  the  NMCI  solution  should  support  -  thereby  leaving  to  the  service  provider  the 
ability  to  use  best  practices,  new  technology,  innovation,  and  cost  avoidance.  The  DRM 
describes  the  Navy  and  Marine  Corps  “use  environments”,  both  tactical  and  non-tactical. 
A  combined  DoN  operational,  engineering  and  acquisition  team  was  specifically  formed 
to  ensure  a  succinct  capture  of  operational  requirements  for  NMCI  and  an  accurate 
translation  of  these  into  contract  requirements  developed  all  of  these  products.  (NMCI 
Report  to  Congress,  30  June  2000,  p.  D-6-4) 


Contractor  develops  SOW 


Figure  49:  Establishment  of  SLAs,  from  the  NMCI  Report  to  the  Congress. 
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a.  Measures  of  Effectiveness  (MOE) 

The  DRM  provided  the  necessary  details  to  articulate  IT  services  needed 
for  individual  elements  within  the  DoN  to  accomplish  its  mission.  References  to 
performance  aspects  of  IT  were  narrowed  down  to  the  major  factors  that  would 
significantly  impact  mission  accomplishment.  Critical  factors  to  establish  the  necessary 
IT  environment  were  identified,  prioritized,  and  assessed  as  to  the  ability  to  serve  as  a 
MOE.  The  MOE  was  the  government  provided  performance  curve  and  the  SLA  is  a 
reference  point  on  that  curve  which  the  contractor  would  propose.  To  qualify  as  an 
MOE,  that  factor  had  to: 

•  Be  a  meaningful  indicator  of  the  end-to-end  NMCI  service 
delivery  performance  (or  provide  an  indication  of  how  proactively 
the  provider  is  addressing  infrastructure  performance  needs) 

•  Represent  a  factor  or  a  specific  group  of  factors  that  could  be 
addressed  and  influenced  by  the  provider 


•  Be  measurable 


SLAs  completely  define  the  metrics  that  are  be  used  to  evaluate  the 
network  performance  and  the  level  of  service  provided  by  the  contractor.  Three  tiers  of 
the  MOE  hierarchy  are  presented.  Three  top-level  SLA  components,  Assurance,  Capacity 
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and  Responsiveness,  collectively  define  all  of  the  relevant  characteristics  and 
performance  of  NMCI  and  are  used  as  the  first  tier  of  a  multi-tiered  series  of  measurable 
units.  The  second  tier,  Availability,  Survivability  and  Integrity,  provide  increasing 
specificity  and  detail  in  defining  measurable  areas  of  performance. 

MOE  Matrix 


Peak/Off-peak;  Weight  by  comm  unit)';  Phases  ewrywhere;  Interoperability  everywhere 


TIER  1 

TIER  2 

TIER  3 

•ttlvrark 
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(Whal  you  need,  when  you  need 
it.  as  nlended  lor  whom  intended) 

Availability  pw*  «aY/  bappwad) 

Survivability  fVuincratHiry  toamdman. 
it  Ha*  caritf  happen) 

Integrity 

■  riaftvork  jr/aiM«lly  iSubrwl, 
hwl,  applet  bis) 

•  %  ol  wqi^i lid  :ap>:ity  lost  over 
period  network  inlius»:«i5.  virus, 
ph/scal  attack  nclwcrk  disaster 

•  Attack  Noriru  attack  itfvrlun 
physical 

•  System  integrity,  data  carnation 

CAPACITY 

(Adequacy  of  resources  or  cutrenl 
reeds  and  new  near  term  needs) 

System  performance 

System  revision  &  refresh 

%  capacity  not  utilized 

•  Ikv.  krrhnctogy  .id.ifiiti  ime 

■  Throughput.  ptocawnj  slor-i* 

•Slorage 

RESPONSIVENESS 

(How  fast,  fimelness) 

Customer  support 

Network  services 

Training  &  Sea.1  Shore  rotations 

•  Rjfor 

■  Security  iiKidunl  repat  lima 

•  Recover/  line 

■  Attack  ime 

•  Hired  response  limn 

•  Tmdness 

•  Adequacy  iRasp ensr/onas-s  to 
nears) 

or  %  unflkdfor  periods 

Figure  5 1 :  MOE  Analysis  to  Detennine  SLAs,  from  the  NMCI  Report  to  Congress 


b.  NMCI  SLAs 

During  the  development  of  the  NMCI  Request  For  Proposal  (RFP)  a 
decision  was  made  to  shift  from  providing  the  vendors  with  only  MOEs  towards  adopting 
the  industry  standard  practice  of  using  SLAs.  The  DoN  requirements  were  established 
with  the  focus  on  the  maximum  reliable  communications  and  WAN  performance  (such 
that  the  WAN  would  operate  as  an  effective  extension  of  the  LAN)  in  combination  with 
maximized  cost  savings  making  therefore  the  obvious  selection  of  setting  the  level  of 
measurements  at  the  knee  of  the  industry  cost  performance  curve.  Benchmark  values  for 
the  MOEs  were  translated  to  SLAs,  and  the  breadth  of  coverage  of  these  SLAs  expanded 

to  cover  areas  of  IT  service  consistent  with  good  seat  management  contracting  practice. 
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Recognizing  the  evolving  nature  of  IT  infrastructure,  the  final  definition  of  requirements 
related  to  NMCI  is  a  process  that  has  included  evaluation  of  existing  best  business 
practices  as  well  as  military  system  perfonnance  parameters  supporting  both  business  and 
military  applications.  This  process  is  iterative  and  sufficiently  flexible  to  allow 
procurement  of  a  “best  value”  service  that  is  both  consistent  with  current  and  emerging 
technologies  and  military  uses  of  those  infrastructure  services. 

2.  NMCI  Performance  Level  Measures 

The  Clinger  -  Cohen  Act  requires  the  establishment  of  performance  measures  to 
assess  how  well  NMCI  supports  mission  accomplishment  and  to  provide  accountability 
and  evaluation  of  investment  post-deployment.  Baseline  service  level  performance  for 
each  of  the  domains  in  question  and  baseline  cost  for  services  under  the  previous  DoN’s 
IT  enviromnent  were  assessed  in  the  BCA  for  the  NMCI  and  were  documented  in  the 
“As-Is”  Total  Cost  of  Ownership  (TCO)  analysis  section.  Analysis  of  the  technique 
currently  in  place  to  support  the  evaluation  of  the  NMCI  perfonnance  can  be  further 
broken  down  into  distinct  categories. 

a.  Service  Efficiency 

The  economic  effectiveness  of  NMCI  is  detennined  by  comparing  its  cost 
versus  the  level  of  service  provided.  NMCI  can  increase  its  efficiency  by  either  providing 
more  services  for  the  same  cost,  or  it  can  reduce  the  price  paid  for  the  same  level  of 
services.  The  ratio  of  cost  to  services  provided  is  the  key  indicator  used  to  decide  whether 
the  contract  is  cost-effective.  Service  efficiency  is  a  measure  of  the  cost  associated  with 
supplying  IT  services  to  the  DoN.  The  NMCI’s  efficiency  is  monitored  through  the  cost 
per  service  level,  and  not  simply  through  costs  or  services  total  independently  of  one 
another.  Two  measures  are  used  to  judge  the  effectiveness  of  NMCI  in  achieving  service 
efficiency: 

•  Direct  cost  per  specified  level  of  service 

•  Indirect  costs 

Costs  include  both  direct  costs  (i.e.,  annual  cost  per  seat)  and  indirect  costs 
(as  a  monetary  representation  of  productivity  gains  or  as  an  indicator  of  IT  system 
efficiency  from  an  end-user  perspective).  Direct  costs  measure  the  costs  that  are  typically 
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included  in  the  IT  budget.  These  include  the  costs  of  hardware  and  software,  as  well  as 
the  costs  of  network  operations  and  administration,  including  labor  costs.  Direct  seat 
costs  are  roughly  comparable  to  the  costs  covered  by  the  NMCI  outsourcing  effort. 
Indirect  costs  include  many  of  the  impacts  of  IT  services  on  the  end  user  that  affect 
productivity,  but  are  not  explicitly  covered  in  the  IT  budget.  These  costs  include:  (NMCI 
Report  to  Congress,  30  June  2000,  p.  J-5-5) 

•  Informal  computer  support — time  the  end  user  spends  either  by 

himself  or  with  peers  supporting  basic  information  management  (IM)/IT 

services  because  help  desks  are  not  responsive 

•  Learning — both  formal  and  casual 

•  Downtime — lost  productivity  due  to  network  or  software  problems 

Basic  user  services  (covered  by  different  SLAs)  that  for  the  time  being  are 
used  to  measure  perfonnance  include: 

•  Standard  office  automation  software 

•  E-mail 

•  Web  access 

•  Intranet  performance 

•  Internet  access 

•  Desktop  access  to  Government  Applications 

•  User  training 

•  Search  engine  services 

•  Directory  services 

•  News  groups 

•  Print  services 

•  Unclassified  remote  access 

.  NIPRNET/SIPRNET  access 
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Portable  workstation  wireless  dial-in 


•  Software  distribution 


•  Mainframe  access 

b.  Interoperability 

Information  interoperability  is  a  key  enabler  necessary  to  share 
information  throughout  the  DoN  enterprise.  The  DoN,  in  order  to  ensure  that  the  level  of 
collaboration  either  within  the  Navy  domain  or  with  other  external  services  would  not  be 
undermined  under  NMCI,  put  a  lot  of  interoperability  tests  into  the  first  increment  of  the 
contract  to  help  erase  these  fears.  [Note  1]  Interoperability  within  the  NMCI  contract  is 
defined,  as  the  ability  of  the  related  with  the  NMCI  IT  systems  to  provide  services  to  and 
accept  services  from  other  armed  forces  and  facilitate  communication  and  sharing  of 
information. 


Information  Exchange 
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Figure  52:  DoD  Levels  of  Information  Systems  Interoperability  (LISI),  from  the  NMCI 


Contract  N00024-00-D-6000,  (Confirmed  Contract  P00080) 


In  order  to  achieve  interoperability,  applications  need  to  achieve  both 
connectivity  and  the  capability  to  share  data.  For  the  time  being,  NMCI  provides  the 
connectivity  required  to  enable  the  DON  to  achieve  LISI  level  2.  Levels  in  the  upper 
level  of  the  hierarchy  can  only  be  achieved  through  integration  of  applications  and  a 
shared  data  environment.  The  NMCI  is  a  critical  component  of  the  DoN’s  vision  of  a 
network-centric  force,  where  a  single  secure,  integrated  network  delivers  all  voice,  video, 


106 


and  data  IT  services  to  more  than  360,000  seats  in  more  than  300  locations.  Through  the 
standardization  of  hardware  and  software  suites,  and  employment  of  common,  multi¬ 
layered  security  architecture,  the  NMCI  will  greatly  improve  interoperability  and  security 
across  the  Navy  and  Marine  Corps. 

c.  Security 

NMCI  provides  security  services  for  protection  of  the  Information  System 
(IS),  IS  Domains  (Communities  of  Interest)  and  Information  Content  (at  rest,  in  use,  and 
in-transit)  in  accordance  with  DoD’s  IA  policies  and  procedures.  Security  services 
protect  both  unclassified  and  classified  information  and  the  aim  is  to  achieve  full 
integration  with  the  DoD  Public  Key  Infrastructure  (PKI)  services,  (www.nmci.navy.mil 
(Security  Services),  accessed  February  2004)  Security  measures  are  used  to  compare  the 
performance  of  the  enterprise  pre-  and  post-NMCI  operations.  The  measures  focus  on: 

•  The  ability  to  detect  and  respond  to  security  intrusions 

•  The  level  of  compliance  and  successful  execution  of  good  security 
practices  (i.e.  compliance  with  INFOCONs,  IAVAs,  PKI  and 
Smart  Card). 

The  first  set  of  measures  (attacking  the  NMCI)  is  the  “Red  Team” 
approach,  which  will  focus  on  quantitative  evidence  of  how  NMCI  performs  on 
protecting  information  and  networks.  This  includes  the  results  of  exercises  identifying 
vulnerabilities,  numbers  of  intrusions,  reasons  for  intrusions,  and  response  time  for 
correcting  security  problems  identified  by  intrusions.  The  second  set  is  analogous  to  the 
“Green  Team”(“hardening”  the  security  structure  of  NMCI).  These  measures  address 
compliance  with  already  established  by  the  DoD  security  and  information  assurance 
procedures.  They  include  such  measures  as  the  number  of  seats  with  smart  card  capability 
and  utilization  of  public  key  infrastructure,  evaluations  of  current  practices  and  policies, 
and  compliance  time  for  such  actions  as  INFOCONs  and  IAVAs. 

Specific  IA  SLAs  are  representative  of  the  target  performance  measures 
for  the  range  of  I A  functionality  provided  with  NMCI.  The  I A  SLAs  are  in  two 
categories:  Security  Planning  Services  and  Security  Operational  Services.  Because  of 
their  critical  role  in  the  DON,  two  of  the  operational  services-PKI  and  SIPRNET-have 
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been  broken  into  separate  SLAs.  Utilizing  a  “defense  in  depth”  strategy,  NMCI  is 
designed  to  provide  confidentiality,  integrity,  authenticity,  identification,  access  control, 
non-repudiation,  survivability,  and  availability  of  the  information  and  infonnation 
technology  (IT)  systems  in  a  network  centric  warfare  environment. 

d.  Network  Operations  and  Maintenance 

Network  management  services  include  such  disciplines  as  virus  detection 
and  repair,  low  impact  upgradeability,  scalable  architecture,  change  management,  and 
maintenance  of  the  Local  Area  Network  hardware  and  software.  Systems  management 
services  include  asset  management,  software/hardware  inventory,  software  distribution, 


and  systems  management. 


NMCI  Performance  Measures 

Perf.  Measure 

Baseline 

Goal 

Metric 

Service  Efficiency 

Direct 

Cost/Service 

Level 

S824 

$600 

Obtained  from  post  contract  award  IT  manager 
survey,  contract  performance  monitoring,  and 
actual  contract  cost 

Indirect  Costs/ 
Seat 

$8,619 

$3,642 

Obtained  from  post  contract  award  IT  manager 
survey,  contract  performance  monitoring,  and 
actual  contract  cost. 

Interoperability 

Joint  and 
Industry 
Network 
Interoperability 

Partially 

Exhibits 

Required 

Service 

Levels 

Fully  Exhibits  or 
Exceeds  Required 
Service  Levels 

Obtained  from  post  contract  award  IT  manager 
survey,  contract  performance  monitoring,  and 
actual  contract  cost 

Security 

Security 

Services 

Partially 

Exhibits 

Required 

Service 

Levels 

Fully  Exhibits  or 
Exceeds  Required 
Service  Levels 

Obtained  from  post  contract  award  IT  manager 
survey,  contract  performance  monitoring,  and 
actual  contract  cost 

Network  Operations  and  Maintenance 

Network 

Management 

Services 

Exhibits  majorit; 
if  NMCI  Service 
Levels 

Fully  Exhibits  or 
Exceeds  Required 
Service  Levels 

Obtained  from  post  contract  award  IT  manager 
survey,  contract  performance  monitoring,  and 
actual  contract  cost 

System 

Management 

Services 

Partially 

Exhibits 

Required 

Service 

Levels 

Fully  Exhibits  or 
Exceeds  Service 
Levels 

Obtained  from  post  contract  award  IT  manager 
survey,  contract  performance  monitoring,  and 
actual  contract  cost 

Table  8:  NMCI 

Performance  Measures,  from  www.nmci.navv.mil  (Performance 

Measures),  accessed  February  2004 
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3.  Automated  Tools  Used 

The  service  levels  are  monitored  using  an  enterprise  management  system  located 
at  the  NMCI  network  operations  centers  in  Norfolk,  Va.,  San  Diego  and  Hawaii. 
(www.fcw.com  (Navy,  EDS  to  refine  performance  metrics),  accessed  March  2004)  These 
facilities  are  where  EDS  and  subcontractor’s  personnel  work  alongside  Navy  personnel  to 
monitor,  maintain,  repair  and  protect  the  network  that  comprises  NMCI.  EDS  is 
deploying  Cisco®  Info  Center  to  manage  its  service-level  agreements  (SLAs)  with  the 
NMCI.  By  using  this  automated  tool,  the  NMCI  administrators  can  more  easily  manage 
the  daily  operations  of  the  intranet  and  demonstrate  to  the  executive  oversight  committees 
how  the  network  is  performing  on  an  ongoing  basis  and  in  real  time. 

We  are  dedicated  to  providing  the  optimum  level  of  service  for  NMCI, 

and  this  tool  will  help  us  monitor  the  system  to  verify  that  the  elements  of 

the  enterprise  network  are  performing,  as  they  should 

Bill  Richards,  EDS’  NMCI  Enterprise  Client  Executive 

Cisco  Info  Center,  developed  by  Cisco  and  Micromuse,  enables  users  to  centrally 
manage  and  control  infrastructure  services.  Through  sophisticated  service-level  alann 
monitoring  and  diagnostics  capabilities,  the  system  provides  impact  analysis,  situational 
awareness  and  service  assurance  for  SLA  management  and  reporting.  It  also  provides 
application,  system,  and  network  fault  and  performance  monitoring;  network  trouble 
isolation;  and  real-time  service-level  management  for  enterprises.  By  interacting  with 
other  management  tools,  the  specific  automated  tool  has  the  ability  to  provide  service- 
level  monitoring  and  network  partitioning  for  virtual  private  network  and  customer 
network  management  services.  Cisco  Info  Center  provides  real-time  end-to-end  visibility 
and  accurate  business  impact  analysis  on  IT-related  faults.  With  direct  and  easy  access  to 
such  vital  intelligence,  NMCI  administrators  are  able  to  quickly  prioritize  workflow  and 
focus  on  the  most  mission-critical  problems  first,  (www.cisco.com  (Products),  accessed 
March  2004) 

Norfolk  is  the  primary  operations  center;  the  San  Diego  facility  also  monitors  the 
systems  and  is  there  for  backup  in  case  anything  happens,  no  matter  how  major  or  minor. 
At  each  NOC  facility  there  is  a  room  —  physically  the  heart  of  the  center  —  where 
technicians  monitor  the  vital  signs  of  the  systems  at  work.  Overhead  screens  use  traffic- 
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light  images  to  let  everyone  know  the  status  of  services  by  location,  while  individual 
monitors  track  each  component  in  more  detail.  Availability  of  services  within  the 
network  is  defined  as  the  percentage  of  time  any  service  is  available  to  the  end  user  or  the 
end  user  community.  For  the  time  being,  EDS  must  meet  roughly  200  metrics,  ranging 
from  help  desk  support  to  network  response  time. 

4.  Conclusions  and  Recommendations  for  the  Performance  Monitoring 

Methodology  Currently  Used 

a.  Development  of  SLAs 

A  service  level  agreement  (SLA)  gives  both  the  DoN  and  vendors  a 
baseline  by  which  to  determine  whether  the  service  contracted  for  is  being  delivered  and 
a  way  to  measure  performance.  It  may  have  been  difficult  to  get  all  user  groups  to  totally 
agree  on  the  requirements,  however  extensive  risk  mitigation  techniques  and  feedback 
from  a  variety  of  end-user  groups  was  used  to  deliver  the  final  result.  No  matter  that  the 
approach  to  negotiate  for  the  NMCI  contract  was  established  by  a  government  agency 
(DoN)  with  minimum  services  contract  experience,  the  procedures  used  to  develop  and 
define  the  SLAs  were  sound  based  on  proven  concepts  already  followed  by  the 
commercial/private  sector  business.  Every  aspect  of  the  multi-billion  NMCI  outsourcing 
contract  that  covers  voice,  video  and  data  services  is  outlined  in  a  SLA  with  extensive 
details.  A  summary  of  the  challenges  involved  and  conclusions  is  shown  in  Figure  53: 

•  Challenge  was  to  identify  key  performance 
areas  end-to-end  (both  direct  and  indirect) 

•  Developed  complementary  set  of  measures, 
used  Tiger  Team  (DON,  Gartner,  Telcordia) 

•  Resultant  SLA  metrics  reflect  3  step  process: 

-  Started  with  metrics  from  commercial  cases 
(analogous  businesses) 

-  Obtained  validation  from  stakeholders  (mission 
alignment) 

-  Received  feedback  from  service  providers  (cost) 

Figure  53:  NMCI  Challenges  in  the  Development  of  the  SLAs 
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b.  SLAs  and  Related  Metrics 

When  the  initial  contract  was  written  down  it  included  135  metrics  within 
37  SLAs.  Through  the  process  of  continuous  adjustment  there  is  now  a  total  of  44  SLAs 
with  197  metrics.  The  complete  description  of  the  metrics  involved  can  be  found  in  Table 
D  in  Appendix  D;  however  a  breakdown  with  a  short  analysis  of  the  metrics  currently  in 
use  is  shown  in  figure  54: 


SLA 

DESCRIPTION 

SERVICE  EFFIC. 

CUST.  SATISF. 

INTEROPER. 

SECUR  .-  IA 

NETWORK  OPER 

NUM.  METRICS 

1 

DT  HW  and  OS 

YES 

YES 

YES 

5 

2 

St.  Office  SW 

YES 

YES 

YES 

YES 

4 

3 

E-mail  Services 

YES 

YES 

YES 

YES 

5 

4 

Directory  Services 

YES 

YES 

YES 

YES 

7 

5 

File  Shared  Services 

YES 

YES 

YES 

6 

6 

Web  Access  Services 

YES 

YES 

YES 

YES 

4 

7 

Newsgroup  Services 

YES 

YES 

YES 

YES 

5 

8 

MULTIMEDIA  CAPABILITIES:  Deleted 

9 

Print  Services 

YES 

YES 

4 

10 

NMCI  Intranet  Performance 

YES 

YES 

YES 

YES 

YES 

5 

11 

NIPRNET  Access 

YES 

YES 

YES 

4 

12 

Internet  Access 

YES 

YES 

YES 

3 

13 

Mainframe  Services  Access 

YES 

YES 

YES 

3 

14 

Desktop  Access  to  Gov.  Apps 

YES 

YES 

YES 

YES 

YES 

3 

15 

Moves,  Adds,  and  Changes 

YES 

YES 

5 

16 

SW  Distribution  and  Upgrades 

YES 

YES 

YES 

4 

17 

User  T  raining 

YES 

3 

18 

Unclassified  Remote  Access 

YES 

YES 

YES 

4 

19 

Classified  Remote  Access 

YES 

YES 

YES 

5 

20 

Portable  WS  Wireless  Dial-in 

YES 

YES 

3 

20A 

Org.  Messaging  Service 

YES 

YES 

YES 

4 

21 

Desktop  VTC  Services 

YES 

YES 

YES 

YES 

6 

22 

Voice  Communications 

YES 

YES 

YES 

10 

22A 

Voice  Mail 

YES 

YES 

YES 

4 

23 

Basic  Help  Desk  Services 

YES 

7 

24 

WAN  Network  Connectivity 

YES 

YES 

YES 

YES 

5 

25 

BAN/LAN  Com.  Services 

YES 

YES 

YES 

YES 

5 

26 

Moveable  VTC  Seat 

YES 

YES 

YES 

YES 

7 

26A 

Proxy  and  Caching  Services 

YES 

YES 

YES 

YES 

4 

27 

External  Networks 

YES 

YES 

YES 

YES 

6 

28 

Network  Management  Services 

YES 

YES 

YES 

5 

29 

Operational  Support  Services 

YES 

YES 

4 

30 

Capacity  Planning 

YES 

YES 

3 

31 

Domain  Name  Server  (DNS) 

YES 

YES 

4 

32 

Application  Server  Connectivity 

YES 

YES 

4 

32A 

Network  Operations  Display 

YES 

YES 

YES 

YES 

2 

33 

NMCI  Security  Oper.  Services 

YES 

YES 

YES 

YES 

YES 

9 

34 

NMCI  Sec.  Oper.  Services  PKI 

YES 

YES 

YES 

YES 

YES 

4 

35 

NMCI  Sec.  Services  -SIPRNET 

YES 

YES 

YES 

YES 

YES 

4 

36 

NMCI  Sec.  Planning  Services 

YES 

YES 

YES 

YES 

YES 

4 

36A 

Integrated  Config.  Management 

YES 

1 

36  B 

Integration  and  Testing 

YES 

YES 

YES 

2 

36  C 

Technology  Refreshment 

YES 

4 

36  D 

Technology  Insertion 

YES 

YES 

2 

37 

Sea-Shore  Rotation  Support 

YES 

2 

Total  of  SLAs:  44 

TOTAL  NUMBER : 

194 

SLAs  that  Span  into  all  the  Domains 

To  Include  ROI,  Financia 

Ratios  :  1 97 

Figure  54:  The  SLAs  and  Performance  Measurements  Matrix  Currently  in  Use. 
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The  initial  idea  of  this  thesis  was  that  a  number  of  metrics  at  the  level  of 
200  were  too  many  and  would  only  complicate  the  monitoring  activity;  therefore  a  much 
shorter  version  should  be  used.  After  a  thorough  examination  of  the  method  used  to 
evaluate  the  NMCI  performance,  the  final  conclusion  is  that  an  increased  number  of 
metrics  is  needed  to  precisely  describe  the  level  of  services  provided.  Additional 
validation  is  provided  by  the  fact  that  the  approach  used  by  the  DoN  to  create  the 
associated  metrics  was  similar  to  the  practices  followed  by  the  private  sector,  and 
feedback  from  a  variety  of  sources  was  used  extensively.  Finally,  the  magnitude  of  the 
effort  and  the  technical  complexity  of  the  specific  IT  initiative  also  suggest  that  a 
tremendous  amount  of  detail  is  necessary  to  fully  capture  the  perfonnance  of  the  network. 

It  is  necessary  to  note  that  specific  services  are  monitored  via  a 
combination  of  metrics  that  span  all  the  categories  of  performance  measures  analyzed  in 
the  previous  section.  For  example  there  are  specific  SLAs  that  introduce  a  large  number 
of  metrics  to  provide  the  full  picture  of  the  related  activities,  such  as  all  of  the  NMCI 
security  related  agreements.  Although  the  vast  majority  of  the  necessary  metrics  to 
measure  and  assess  performance  are  already  contained  within  the  establish  SLAs,  with 
the  precondition  that  periodically  adjustments  of  the  level  is  required  to  ensure  to  scope 
of  this  IT  initiative,  as  an  additional  improvement  it  would  be  useful  to  allow  the  end- 
users  to  access  the  quality  of  the  training  services  they  are  receiving  by  the  contractor  and 
to  provide  feedback  on  the  operation  of  the  helpdesks  or  their  views  towards  the  sea 
shore  rotation  policies.  Finally,  technology  insertion  and  refreshment  should  account  for 
both  the  commercial  sector  and  the  other  military  services  pace  in  a  joint  operations 
paradigm,  making  the  adjustment  of  the  matrix  necessary. 

Under  the  NMCI  contract,  EDS  is  paid  based  on  its  ability  to  meet  specific 
service  levels  on  key  measures,  such  as  network  uptime,  availability  of  applications  and 
help-desk  response  time.  Upgrades  to  the  systems  are  done  on  a  scheduled  basis  at  no 
additional  cost  to  the  government  and  payment  is  tied  to  service  quality  and  customer 
satisfaction.  The  customer  accepts  less  risk  because  an  SLA  makes  the  vendor 
responsible  for  meeting  the  target  service  levels,  while  the  vendor  gains  the  ability  to 
manage  customer  expectations  in  a  well-defined  manner.  Penalties  could  be  imposed 
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when  performance  measures  are  not  met.  The  SLAs  generally  should  have  three  distinct 
components: 

•  What  are  the  services  to  be  provided 

•  What  are  the  measured  targets  of  service  that  the  customer  expects 

•  What  happens  if  the  service  provider  fails  to  deliver  the  service  it 
promises 

From  the  technical  point  of  view,  among  the  items  that  should  be  included 
in  the  service  metrics  are  network  performance  and  reliability,  service  availability 
intervals,  mean  time  to  report  a  failure,  message  delivery  time,  the  number  of  closed 
trouble  tickets,  completion  times  for  moves-additions  or  changes,  the  level  of  voice 
services,  multimedia  capabilities;  and  user  training.  Each  criterion  should  include  low, 
medium  and  high  service  grades  and  be  priced  accordingly.  For  example,  a  high  network 
availability  guarantee  of  99.9  percent  uptime  would  cost  more  per  user  than  a  low 
network  availability  of  99.5  percent  uptime.  NMCI’s  SLAs  confonn  very  closely  to  the 
above  norm  that  prevails  in  the  private  sector  through  the  distinction  of  basic,  high  level 
and  mission  critical  subdivisions.  Finally  the  metrics  currently  in  use  provide  sufficient 
data  to  analyze  the  performance  of  the  network  with  the  help  of  automated  software  tools. 
The  central  point  of  management  activity  enforced  by  the  NMCI  approach  facilitates  the 
seamless  monitoring  activity  of  the  network.  A  summary  of  the  conclusions  involved 
with  the  performance  measures  analysis  is  shown  in  figure  55: 

*  Optimal  set  of  measures  is  probably  not  fewer,  but 
more  (44  SLAs,  >  200  performance  metrics) 

*  Only  specify  what  can  be  measured  (remote  devices, 
help  desk,  inspection) 

*  Specific  language  is  critical  (where  measured,  how 
calculated,  how  aggregated,  how  reported) 

-  Link  of  contractor  performance  to  contract  payment 
algorithm  must  produce  outcome  of  customer 
desired  emphasis  and  focus 

*  Reporting  format  should  enable  a  quick  assessment 

of  true  performance _ 

Figure  55:  Summary  of  NMCI  Performance  Measurements  Matrix 
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D.  REASONS  WHY  THE  END-USER  IS  UNCOMFORTABLE  WITH  NMCI 

Reality  as  usual  is  very  different  from  the  planned  in  advance  situation  and  when 
dealing  with  a  change  of  that  size,  it  is  also  logical  to  expect  the  creation  of  very  different 
reactions  within  the  DoN  organization.  There  have  been  two  major  hurdles  to  overcome: 
the  culture  issues  as  people  are  forced  to  change  the  hardware  and  software  they  use  or 
where  they  go  for  help-desk  support  and  the  massive  number  of  existing  legacy  systems. 

1.  Cultural  Changes  Needed 

In  order  to  move  towards  the  standard  system,  the  NMCI  implementing  team 
must  take  users  off  personal  computers  and  put  them  in  front  of  standardized  network 
tenninals,  in  what  is  essentially  a  depersonalization  of  their  desktop.  There’s  a  price  to  be 
paid  for  the  increased  security.  You  can’t  put  your  kids’  pictures  up  as  screensavers 
anymore  because  it’s  a  security  risk.  Also  there  are  cases  that  the  idea  of  worse 
performance  is  just  related  to  the  end-users  luck  of  knowledge  for  the  whole  NMCI 
concept.  People  tend  to  see  NMCI  only  as  a  desktop  rather  than  a  full-service  contract 
providing  hardware,  software,  security,  connectivity,  service,  repair,  and  the  manpower  to 
make  it  all  work.  It  is  the  notion  that  the  user  “owns”  his  dektop  that  the  Navy  needs  to 
clarify.  The  Navy  needs  to  clearly  explain  the  ideas  involved  with  NMCI  and  its 
“enterprise-level”  aproach. 

There  are  many  complaints  expressed  by  a  variety  of  users  that  NMCI  has  an 
inferior  perfonnance  than  the  previous  state  of  IT  operation.  To  clarify  the  level  of 
expectetions  associated  to  NMCI,  there  is  a  need  to  stress  that  the  introduction  of  the 
Naval  Intanet  is  an  effort  to  create  uniform  standards  and  performance  for  all  those  under 
the  DoN.  For  those  that  were  below  the  desired  performance  bar  as  it  was  detennined  by 
the  central  authority,  a  new  better  IT  paradigm  has  emerged.  For  those  that  through 
coordinated  activities  and  funding  available  were  able  to  deliver  a  superb  IT  enviroment, 
NMCI  means  that  performance  is  often  degraded.  For  example: 

•  Longer  logon  times  (often  the  main  source  of  complaints  and  regarded  by 
the  non  experienced  user  as  indication  of  poorer  perfonnance  in  relation 
with  the  previous  state  of  the  network) 

•  Public  Key  Infrastructure  (PKI)  logon  requires  more  steps  and  time 
associated  with 
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Additionally,  with  the  current  state  of  NMCI,  there  is  a  great  difference  in  the 
culture  level  expressed  in  tenns  of  the  conflict  between  increased  security  and 
depersonalisation  of  the  desktop.  Security  might  be  the  main  point  of  focus  but  research 
into  complaints  articles  for  NMCI  indicates  that  users  don’t  like  the  NMCI  concept  or  at 
least  not  filling  comfortable  with  it  because  appart  from  removing  the  current  existing 
non-secure  protocols,  it  also  forces  policies  that  can  be  regarded  as  restriction  of 
personal  freedom.  I  will  provide  a  short  and  certainly  not  exhaustive  list: 

•  Incoming  e-mails  screened 

•  Security  lockout  after  1 5  minutes 

•  Websites  blocked  if  non-secure  practices  are  involved 

•  NMCI  limits  wireless  and  PDA  options 

•  “Top  to  the  Bottom”  standardization  and  centralization,  which  limits  local 
flexibility  and  even  more  creates  the  impression  that  the  user  is  not  using 
his/her  “personal”  computer 

•  Desktop  is  “Locked  Down” 

o  Can  not  download  Freeware,  Shareware,  or  Games 
o  No  CD  ROM  installs  by  individual  users 

To  ease  the  cultural  adjustment  and  provide  training  for  the  new  NMCI  system, 
EDS  provides  both  an  e-leaming  system  and  a  two-tiered  help  desk  approach.  The  web- 
enabled  training  system  is  quite  effective.  The  system  is  continuously  updated  with  issues 
derived  from  user  questions  to  the  helpdesk.  Help  desk  tier  I  takes  all  user  calls,  but  deals 
only  with  problems  that  tend  to  be  resolved  easily.  If  not,  they  are  escalated  to  tier  II, 
where  staff  with  more  technical  experience  answers  questions,  but  unfortunately  the  long 
waiting  time  involved  with  the  handling  of  complex  issues  are  creating  the  impression 
that  the  help-desk  is  only  solving  the  minor  problems  and  end-users  still  complain  that 
support  is  not  enough.  The  current  state  of  the  NMCI  performance  is  still  lagging  from 
the  DoN  targets.  However,  end-user’s  surveys  show  that  satisfaction  level  with  NMCI 
increases  as  time  passes  and  research  associated  to  the  introduction  of  different  IT 
capabilities  in  large  scale  organization  indicates  that  customers  get  accustomed  to  any 
new  system  in  the  long  run;  however  this  process  can  take  a  couple  of  years.  Change 

management  practices  are  necessary  to  facilitate  the  transitioning  period. 
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2.  The  Legacy  Applications  Issue 

A  second  point  of  interest  is  the  progress  with  the  legacy  applications.  The  NMCI 
request  for  proposals  called  for  a  single  operating  system  network.  As  a  result  anything 
that  is  not  functional  under  a  Microsoft  Windows  2000  environment  must  be  quarantined 
or  connected  via  CLIN  32  (external  network  connection)  or  CLIN  29  (legacy  system 
support).  DoN  and  EDS  officials  have  been  bogged  down  for  a  very  long  time  in 
reviewing  applications  to  detennine  if  they  are  necessary  and,  if  so,  testing  them  to 
ensure  that  they  meet  security  requirements. 

The  ISF  has  already  established  a  Legacy  Application  Working  Group  to 
determine  the  processes  necessary  to  move  legacy  applications  into  the  NMCI 
environment.  The  process  will  include  recommendations  to  the  DoN  on  where  it  can 
reduce  reliance  on  legacy  systems.  NMCI  offers  the  DoN  an  opportunity  to  employ  a 
state-of-the-art  infrastructure,  reduce  the  number  of  legacy  applications  and  expand 
standardazation  throught  the  whole  DoN.  Unfortunely  it  is  again  the  end  user  that  will 
face  all  the  pain  since  new  restrictions  will  be  effective  but  he/she  will  still  have  to 
perform  all  the  variety  of  “old”  functions  with  the  means  of  mismatching  tools.  The 
legacy  issue  also  fed  the  culture  issue  because  NMCI  forced  users  to  abandon  well-worn 
applications,  and  they  were  often  reluctant  to  do  so,  often  without  an  alternative  option. 

E.  POTENTIAL  WEAKNESSES  AND  VULNERABILITIES  IN  TERMS  OF 

INFORMATION  ASSURANSE  (IA) 

NMCI  has  established  a  service  level  management  program  that  monitors  the 
performance  of  the  NMCI  network  and  the  related  security  features.  This  perfonnance  is 
contractually  binding  and  contains  incentives  for  the  contractor  to  exceed  performance, 
security,  and  customer  satisfaction  parameters.  Independent  government  teams  monitor 
performance  for  compliance  to  the  SLAs  and  requirements,  while  special  “red  teams” 
routinely  assess  network  security.  While  perfect  security  in  an  information- sharing 
environment  is  almost  impossible,  there  is  much  that  can  be  done  to  minimize  system 
vulnerabilities  or  potential  threats.  DoN  uses  a  Defense  in  Depth  (DiD)  strategy  that 
employs  state  of  the  art  protection  technology  like  content  monitoring/filtering,  firewalls, 
intrusion  detection  systems  (IDS),  encryption  and  PKI  [Note  2]  installed  in  a  layered 
system  of  defenses  to  protect  the  NMCI. 
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Protection  Tool 

Confidentiality 

Integrity 

Authenticity 

Availability 

Firewalls  and  Packet  Filtering 

Yes 

Yes 

Yes 

Intrusion  Detection 

Yes 

Yes 

Yes 

Content  Filtering 

Yes 

Yes 

Virtual  Private  Network  (VPN) 

Yes 

Yes 

Yes 

DoD  PKI  Enabled  Applications 

Yes 

Yes 

Yes 

Encryption 

Yes 

Yes 

Yes 

Figure  56:  NMCI  Tools  Protection  Matrix,  from  the  NMCI  Contract  N00024-00-D-6000, 
(Confirmed  Contract  P00080) 
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Figure  57:  NMCI  Layered  Defense 


The  Naval  Network  Warfare  Command  (NAVNETWARCOM)  determines  the 
overall  NMCI  IA  strategy  and  ensures  its  alignment  with  the  equivalent  DoD  strategy.  By 
focusing  on  Computer  Network  Defense  (CND),  with  emphasis  on  Defense  in  Depth,  the 
effort  is  to  deliver  a  sound  network.  There  is  a  mixture  of  DoN  personnel  and  EDS’ 
employees  within  every  NOC  to  facilitate  network  security  activities,  both  offensive  and 
defensive.  Responses  to  network  threats  and  attacks  constitute  Information  Warfare  (IW) 
defense  command  decisions  that,  as  a  minimum,  will  be  authorized  by  designated, 
uniformed  DoN  personnel.  The  Navy’s  command  structure  retains  directive  authority 
over  all  NMCI  threat  responses.  DoN  personnel  are  also  the  conduits  for  authorized 
responses  to  directives  received  from  JTF  CND  (Joint  Task  Force  Computer  Network 
Defense)  or  joint  service  regional  headquarters  for  coordinated  joint  service  response  to 
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threats.  As  the  Information  Condition  (INFOCON)  level  is  raised  during  time  of  conflict, 
DoN  personnel  will  retain  the  command  decision  authority.  The  security  safeguards  that 
DoN  receives  with  NMCI  include:  (www.nmci.navy.mil  (IA  and  Security),  accessed 
February  2004) 

•  Detection 

o  24x7  surveillance  against  unauthorized  intrusions 
o  Defense  against  internal  as  well  as  external  threats 
o  Inoculated  system  with  world-class  anti-virus  detection  tools 

•  Inspection 

o  Continually  monitoring  the  network  and  assessing  potential  threats 
to  the  IT  environment 

o  New  tools  and  activities  to  inspect  and  protect  systems 

•  Protection 

o  State-of-the-art  firewall  protection 

o  High  level  of  protection  standardized  across  the  whole  Department 
of  the  Navy 

o  Comprehensive  password  procedures  to  safeguard  information 

o  Implementing  Infonnation  Assurance 

•  Reaction 

o  Alerts  security  personnel  of  virus  contamination  24x7. 

o  Quarantine  contaminated  files,  limiting  potential  damage 

o  Automated  reports  of  unauthorized  intrusions  to  the  Navy  and 

Marine  Corps  security  teams. 

The  creation,  operation  and  use  of  information  infrastructures  for  productive  ends 
involve  three  principal  types  of  activity  (Gregory  J.  Rattray  (2001),  Strategic  Warfare  in 
Cyberspace.  Massac husetts-US A:  The  MIT  Press,  p.  32): 
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•  The  development  and  use  of  underlying  technologies,  including  hardware 
and  software  products  and  orchestration  of  standards  and  protocols  used 

•  Provision  of  networks  and  services  that  link  underlying  technologies  to 
provide  information  processing,  storage  and  transmission  capabilities  for  a 
wide  range  of  users 

•  Use  of  information  technologies  and  networks  by  individuals  and 
organizations  to  perform  desired  tasks 

An  organization  like  the  DoN  should  conduct  all  three  type  of  activity 
simultaneously  to  optimize  an  IT  system  like  NMCI  for  its  requirements,  but 
coordination  of  activities  to  deliver  a  completely  secure  structure  is  extremely  difficult. 
The  complexity  of  the  technologies  involved  has  resulted  in  the  involvement  of  a 
multiplicity  of  different  organizations  (beyond  military  control)  in  the  creation  of  the 
NMCI  and  although  the  approach  used  might  have  established  a  very  strong  security 
mechanism,  there  are  still  potential  threats.  A  summary  is  shown  in  figure  58: 

•  Insider  Threat  (Often  under-estimated) 

o  Disgruntled  personnel 
o  Unintentional  actions  of  user 
o  Trusted  insider 

•  Hacker/Cracker 

•  IVI alicious  Code/ Viruses/ Worms 

•  State  Sponsored  CIV  A  (Computer  Network 
Attack) 

•  DOS  (Denial  of  Service)  Attacks 

o  Self  imposed 
o  Deliberate  actions  of  others 

Figure  58:  List  of  NMCI  Potential  Threats 

Naval  networks  are  not  immune  from  hackers  or  malicious  code  and  are  a  prime 
candidate  target  for  state  sponsored  attacks.  A  wave  of  destructive  worms  has  focused 
attention  on  the  potential  vulnerability  of  the  NMCI  and  other  military  networks  to 
malicious  computer  attacks.  In  particular,  the  Blaster,  SoBig,  Welchia  and  other  worms 
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have  spurred  concerns  about  the  unintended  security  consequences  of  the  overwhelming 
worldwide  use  of  and  the  increasing  military  reliance  on  the  software  products  of  a  single 
company,  Microsoft.  The  worms,  viruses  and  Trojan  horses  mostly  spread  throughout 
corporate  and  personal  computer  systems  through  security  flaws  in  the  design  of  products 
from  Microsoft,  notably  its  Windows  operating  systems.  To  date,  all  branches  of  the  U.S. 
military  have  consciously  decided  to  standardize  their  enterprise  networks  on  Microsoft 
products.  As  a  result,  military  network  engineers  are  discovering  that  the  biggest  threat  to 
the  integrity  of  their  enterprise  systems  comes  not  from  a  coordinated  cyber  war  effort, 
but  rather  from  malicious  code  designed  to  spread  as  quickly  and  thoroughly  as  possible 
via  Microsoft  design  flaws. 

In  addition  to  the  external  threats  that  any  network  has  to  deal  with,  the  Insider 
Threat  to  the  NMCI  should  not  be  discounted  or  underestimated.  Included  in  that  threat 
are  the  accidental  or  unintended  actions  that  can  undermine  network  confidentiality, 
integrity  and  availability.  Public  Key  Infrastructure  (PKI),  client  intrusion  detections, 
Active  Directory  Control  and  a  host  of  other  systems  provide  protections  against  the 
insider  threat;  however  an  “authorized  user”  can  always  undennine  the  security  effort.  It 
is  still  under  question  the  level  of  the  end  -user  training  and  their  adaptation  in  the  “best 
use”  practices  that  can  both  make  a  significant  difference.  Additional,  there  is  always  the 
question  of  a  dissatisfied  EDS’  employee  holding  administrative  privileges  over  the 
NMCI. 

While  IT  increases  capabilities  in  the  military  domain,  it  also  creates  an  increased 
reliance  on  the  infrastructure  necessary  to  support  the  associated  networks.  The  threat  to 
the  GIG  is  extensive,  increasingly  sophisticated  and  a  real  danger  to  [the  U.S.]  national 
security.  The  threat  includes  nation-states,  more  than  40  of  which  have  openly  declared 
their  intent  to  develop  cyber  warfare  capabilities.  It  includes  transnational  and  domestic 
criminal  organizations,  amorphous  groups  of  hackers  who  sympathize  with  America’s 
enemies,  and  terrorist  organizations,  as  shown  by  what  the  DoD  has  learned  by  forensic 
analysis  of  captured  computers.  It  may  also  include  insiders — trusted  Americans  who 
become  traitors.  (Major  General  J.  David  Bryan  (Vice  Director  of  Defense  Information 
Systems  Agency),  article  “IA:  Holistic  View,  Targeted  Response”,  Military  Information 
Technology,  September  2003). 
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F.  ENDNOTES 

1.  An  interoperability  test  plan  to  test  the  validity  of  each  segment  was 
provided  by  the  contractor.  The  test  plan  provided  measures  of  interoperability  with 
respect  to:  Services  such  as  Standard  Office  Automation  Software,  E-mail  Services, 
Directory  Services,  Web  Access  Services,  Newsgroup  Services,  NMCI  Intranet 
Performance,  NIPRNET  Access,  Internet  Access,  Mainframe  Access,  Desktop  Access 
Government  Applications,  Unclassified  Remote  Access,  Classified  Remote  Access, 
Organizational  Messaging  Services,  Desktop  VTC,  Voice  Communications,  Wide  Area 
Connectivity,  BAN/LAN  Communications  Services,  Moveable  Video  Teleconferencing 
Seat,  Proxy  and  Caching  Services,  External  Networks,  SIPRNET,  and  Public  Key 
Infrastructure  (PKI). 


2.  A  firewall  is  a  collection  of  hardware  and  software  components  that  is 
used  to  provide  protection  for  a  defined  set  of  users  in  a  specified  DoN’s  enclave.  There 
are  different  types  of  firewalls  such  as  state  monitoring  firewalls,  application  layer  proxy 
firewalls,  and  router-based  firewalls.  The  DoN  has  chosen  to  implement  application  layer 
proxy  firewalls  at  all  entry  points  of  the  NMCI,  therefore  firewalls  can  be  at  boundaries 
1,  2,  3  and  4. 


Two  IVIain  IDS  IVIcthod  s 


•  Patter'll  IVIatcliing 

o  Compare  activities  to 
known  attacks 
o  Attack  combinations 
monitored 

o  Constrained  number  of 
events  to  monitor 
o  Computationally  efficient 
o  Performance  limitations  - 
scalability 
o  New  patterns  not 
recognized 

o  Requires  “learning”  or 
“■tuning”  by  skilled 
operators  with  attack 
knowledge 


•  /Vii *>m illy  Detection 

o  Well  understood  statistical 
techniques 

o  Limited  set  of  variables  - 
memory  efficient 
o  Time  series  analysis 
o  Threshold  driven  =>  easily 
adjusted  false  alarm  rate 
o  Historically  based  -  requires 
accurate  baseline 
o  Event  order  not  monitored 
o  Can  “average  out”  attacks 
o  Requires  skilled  operator  to 
define  statistics  Sc  set 
thresholds 


Figure  59:  Comparison  of  Main  IDS  Techniques 


NMCI  incorporates  both  network  and  host-based  IDS  as  part  of  the  layered 
defense  in  depth  strategy.  Although  a  host  based  monitor  can  examine  internal  state 
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information  that  does  not  flow  over  the  network,  thereby  tracking  insider  misuse  and 
attacks  that  slip  past  a  network  sniffer  (Network  based  IDS),  both  types  of  monitors  are 
potentially  vulnerable  to  bypass  and  sabotage,  (Denning,  p.  366)  [an  option  open  to  a 
determined  insider.] 


PKt  allows  you  to  conduct  business 
electronically  with  the  confidence  that: 

♦The  person,  sen  cfa  n  g  the  transact  ton  is 
actually  the  originator 

♦The  parson  receiving  il-i^  transaction  is  the 
intended  recipient 

♦Data  integrity  has  been  not  been 
co  m  p  rom  i  sed 


Figure  60:  Why  NMCI  is  Using  PKI 
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Figure  61:  Service  Taxonomy  via  Encryption-PKI  and  Digital  Signatures 

Content  monitoring  is  already  used  within  the  NMCI  to  provide  another  layer  of 
defense.  The  NMCI  incorporates  content  filtering  products  and  techniques,  because  many 
forms  of  electronic  information  can  contain  harmful  content  such  as  viruses,  worms,  and 
Trojan  horses.  This  “malicious  code”  can  be  transmitted  across  a  network  in  a  number  of 
ways  including  SMTP  email  attachments,  FTP  file  downloads,  and  Java  applets. 
Numerous  COTS  products  exist  that  can  check  these  routes  to  identify  such  potentially 
harmful  content.  If  properly  configured  and  frequently  updated,  these  tools  can  identity 
harmful  content  before  it  has  the  chance  to  do  any  damage,  and  in  many  cases  can  repair 
already  damaged  files.  (NMCI  Contract  N00024-00-D-6000,  (Conformed  Contract 
P00080),  Attachment  4,  p.12) 
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V.  CONCLUSIONS  AND  RECOMMENDATIONS 


Network-centric  warfare  (NCW)  establishes  the  idea  that  networks,  as  warfare 
enablers  (force  multipliers),  are  becoming  increasingly  necessary  and  important  to  the 
modem  military.  FORCEnet  is  a  transfonnational  architecture  for  the  Navy  and  Marine 
Corps  that  integrates  sensors,  networks,  decision  aids,  weapons  and  supporting  systems 
into  a  highly  adaptive  human-centric  maritime  system  that  operates  from  the  seabed  to 
space  and  from  sea  to  land.  To  secure  future  readiness  and  achieve  knowledge 
superiority  requires  the  horizontal  integration  of  NMCI  and  IT-21,  including  an  effective 
management  of  the  associated  data  flow.  FORCEnet  is  intended  to  be  the  seamless  link  to 
conduct  Joint  Forces  Operations  and  even  accommodate  expansions  that  fall  within  the 
Allied/Coalition  Forces  domain.  The  Navy  Marine  Corp  Intranet  (NMCI)  is  a  critical 
element  on  the  path  towards  FORCEnet  by  providing  synergy  through  network 
integration  and  facilitating  knowledge  management  at  the  DoN  level. 


Net-Centric  Warfare 


Figure  62:  The  Road  towards  FORCEnet,  from  www.forcenet.navy.mil  (What  is 
FORCEnet?),  accessed  February  2004 

NMCI's  mission  is  to  plan,  coordinate  and  align  the  DoN’s  information 
infrastructure  (enterprise  systems  and  data)  under  a  single,  coherent  and  forward-looking 
strategy.  The  driver  for  NMCI  is  to  provide  war-fighters  and  decision-makers  the  right 
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information  at  the  right  place  at  the  right  time.  Through  a  single  service  contract,  NMCI 
will  provide  end-to-end  connectivity  for  all  Navy  and  Marine  Corps  personnel  with 
voice,  video  and  data  services.  NMCI  is  the  foundation  that  will  enable  DoN-wide  web- 
based  processes,  knowledge  management  and  e-business  solutions.  With  NMCI  and  new 
approach  of  “IT  as  a  utility”,  apart  from  dealing  with  the  “bandwidth-starvation” 
problem,  the  DoN  is  expected  to  achieve  greater  efficiency  and  effectiveness  in  all  facets 
of  naval  operations  and  to  become  a  relevant,  current  and  highly  sophisticated  player  in 
the  new  “digital-type”  economy.  Web-enabling  the  Navy  is  vital  for  access  to  more 
effective  business  and  combat  applications. 
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Figure  63:  The  IT  as  a  Utility  Approach 


A.  NMCI  AT  THE  DON  LEVEL 


The  NMCI  implementation  effort  and  the  initial  performance  of  the  Intranet  have 
often  been  below  the  DoN’s  expectations  and  visions,  therefore  offering  the  opportunity 
for  severe  criticism.  For  example,  lack  of  change  management  practices  resulted  in  a 
hostile  behavior  from  specific  users,  as  was  the  case  for  those  that  were  forced  to  use  two 
separate  desktops  on  their  desk  to  perform  exactly  the  same  job  as  before.  Obviously,  this 
“dual  desktop”  phenomenon  did  not  provide  a  suitable  working  environment  to  the 
workforce  and  had  a  negative  impact  on  the  users’  productivity. 
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Research  of  articles  that  describe  end-users’  complaints  related  to  the  early  stage 
of  the  NMCI  shows  that  very  often  requirements  or  expectations  of  special  users  groups 
were  poorly  addressed  or  not  taken  into  account  at  all.  The  initial  training  provided  by 
EDS  to  the  users  in  the  majority  of  the  cases  was  not  sufficient  and  the  help-desk 
personnel  had  minimum  “hands-on”  experience.  Often  the  new  procedures  were  not 
explained  adequately  enough  to  the  end  users  before  declaring  the  operational  status  of 
the  site.  As  a  result  users  choose  to  avoid  the  help-desk  and  direct  complain  to  the  NOCs 
personnel  with  the  hope  that  their  demands  for  technical  support  would  be  solved  faster. 

In  a  specific  number  of  commands,  the  IT  operational  environment  was  already 
extremely  high  and  the  introduction  of  NMCI  destabilized  the  already  effective  IT 
functionality.  As  a  direct  result,  the  negatively  impacted  users  lost  their  confidence  in 
NMCI  and  the  reputation  of  the  program  within  the  DoN  community  diminished.  In  the 
next  facility  scheduled  to  join  the  Intranet  resistance  to  accept  the  implementation  was 
increased  and  additional  time  was  necessary  to  overcome  “cultural”  obstacles.  In  most  of 
the  sites,  transition  to  the  “cutover”  required  additional  time  and  resources  than  the 
nonnal  IT  staff,  resulting  in  degraded  IT  support  at  the  early  stages.  Many  times  there 
were  inconsistencies  among  the  technicians  implementing  the  infrastructure.  Finally,  in  a 
variety  of  sites  the  EDS  processes  and  instructions  to  the  technicians  were  incompatible 
with  the  DoN  practices,  and  an  extended  timeframe  along  with  a  revised  technical 
approach  were  necessary. 

However,  after  all  the  NMCI  is  an  “IT  equalizer”  effort  and  an  attempt  to  enforce 

a  centralized  decision  mechanism  on  IT  acquisition.  Complains  are  still  present,  because 

the  NMCI  introduction  has  created  a  certain  number  of  users  that  under  the  “cumulative” 

approach  receive  a  reduced  level  of  IT  services  than  when  commands  were  individually 

responsible  for  IT  support.  Experience  of  EDS  and  the  DoN  with  managing  the  NMCI 

introduction  has  improved  dramatically  within  the  last  year,  although  some  of  the  same 

types  of  mistakes  were  repeatedly  made.  Despite  some  of  the  negative  views  that  still 

remain  within  specific  groups  of  users,  NMCI  is  not  only  making  steady  progress  but  also 

the  DoN  is  slowly  discovering  the  promised  benefits  from  its  decision  to  tackle 

information  technology  acquisition  in  a  more  innovative  way.  The  vast  majority  of  NMCI 

users  are  satisfied  with  the  new  infrastructure,  according  to  survey  results  released  by  the 
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NMCI  director's  office  in  the  year  2003.  Overall  satisfaction  is  higher  than  70  percent  and 
is  increasing  as  time  goes  on  and  more  users  are  moved  over  to  the  system.  The  end  state 
objectives  of  NMCI  can  be  summarized  as  follows: 

•  Replace  diverse  Navy  networks  with  single  enterprise-wide  network 

•  Improved  security  across  the  DoN  enterprise 

•  Common  “look”  of  the  desktop 

•  Regular  technical  refreshments 

•  Implementation  of  Public  Key  Infrastructure  (PKI)  and  introduction  of  a 
records  management 

•  Create  shore  IT  infrastructure  to  allow  conversion  to  e-business  model  of 
common  corporate  applications  and  databases 

•  Affordable  IT  management  within  existing  DoN  budget 

•  Enable  innovation 


Operational  Value  Chain 


Figure  64:  The  NMCI  Operational  Value,  from  the  NMCI  Contract 
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At  the  moment,  NMCI  offers: 


•  Completely  automated  IT  asset  management 

•  Application  standardization  at  the  “Enterprise”  level 

•  Increased  security  posture  and  improved  data  management 

•  Automated  backup  and  restore  of  data 

•  Automatic  service  desk  problem  management  and  resolution 


Annual  Total  Cost  of 
Ownership  (TCO)  (SK| 

Security  (firewalls,  intrusion  detection, 
encryption) 

All  network  infrastructure 
Service  Level  Agreements  (SLAs) 

Enterprise  support  functions  (Help  Desk, 
Tech  Support,  etc.) 

Joint  and  industry  interoperability 

Wide  Area  Network  Access  (DISN, 
Commercial  WAN,  internet) 


Common  desktop  software  suite  with  built-in 
refresh 

Domain  Name  Service 
User  training 
Messaging 
Directory  services 
■  End-to-end  network  management 
Desktop  hardware  with  built-in  refresh 


A  Commercial  Service 


Figure  65:  Description  and  Financial  Bennefits  of  NMCI  for  the  DoN,  from  Rear  Admiral 
Chuck  Munns,  U.S.  Navy,  NMCI  briefing  at  the  SPAWAR-Industry  Day,  San  Diego- 
USA,  23rd  October  2003 
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A  summary  of  the  NMCI  benefits  is  shown  in  Figure  66: 


NMC] 

[  Benefits 

Improved  Security: 

Improved  Management  Oversight: 

-  Eliminates  points  of  entry 

-  Visibility  of  true  cost  of  IT 

-  Supports  multi-layered  defense 

-  Best  value 

-  Fields  PKI  and  smart  card 

-  On-line  metrics 

-  New  tools  for  intrusion  detection 

Economies  ofScaie: 

-  Independent  validation 

-  Savings  in  cost/unit  of  service 

-  Quantitative  measures  of  effectiveness 

-  High  performance  network  supports  thin  client, 

-  Incentives  for  improvement 

remote  servers  and  farms,  NOCs 

Improved  Qualify  of  Service; 

-  Commonality  reduces  maintenance  cost 

-  SLAs  embedded  in  contract  with 

-  Centralized  help  desk 

penalties  and  rewards 

-  Enterprise  software  licenses  (Reduction  in  cost) 

-  End  user  satisfaction  incentives 

-  Network  in  place  to  support  new  applications 

-  Built  in  tech  refresh 

-  Trend  monitoring  prevents  downtime  events 

-  100Mbps  to  every  desktop 

Personnel  Efficiencies: 

-  99.9%  availability 

-  Same  look  and  feel  across  enterprise  -  reduces 

training  cycle  and  overall  time 

-  High  quality  VTCs  reduce  time  lost  in  travel 

-  Workforce  focused  on  core  mission 

Secure  ...Interoperable... 
Best  Cost/ Unit  of  Service 

figure  66:  Summary  of  NMCI’s  Benefits 


Currently  in  the  final  stages  of  deployment,  there  is  a  much  more  mature  approach 
towards  the  NMCI  managing  activity.  The  NMCI  enhances  security,  improves 
standardization,  reduces  duplication  of  data  and  introduces  well-coordinated  back-up 
practices.  Finally,  the  NMCI  approach  has  the  potential  to  reduce  IT  support  costs  while 
giving  the  Navy  and  Marine  Corps  universal  access  to  integrated  data  communications 
and  videoconferencing  capabilities.  The  Intranet  is  now  operating  at  a  more  balanced 
level  and  helping  to  speed  up  a  variety  of  activities  that  support  the  DoN’s  mission,  from 
administrative  tasks  to  ammunition  supply.  The  common  network  capability  provided  by 
NMCI  is  finally  increasing  combat  readiness  and  effectiveness,  through  an  “enterprise¬ 
wide”  approach.  For  example,  the  introduction  of  the  Navy  Marine  Corps  Portal  (NMCP) 
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will  provide  an  integrated,  collaborative  environment  with  personalized,  role-tailored 
access  of  information  in  real  time  for  the  NMCI  users.  A  single  integrated  portal  structure 
will  allow  DoN  organizations  to  focus  solely  on  content  delivery  and  avoid  the  costs  of 


individually  developing  portal  features  and  functions. 


Figure  67:  The  Architecture  and  Connection  Points  of  NMCI 

After  the  360,000-plus  data  seats  for  NMCI  are  completely  cut  over,  which  EDS 
plans  to  finish  within  the  year  2004,  the  Navy  and  the  vendor  will  begin  work  on  the 
enterprise  voice  and  video  components  that  are  another  “neglected”  critical  element 
within  the  NMCI  approach.  The  “voice”  portion  of  NMCI  has  been  shifted  to  a  later  date 
of  implementation  to  keep  pace  with  industry’s  transition  of  quality  voice  over  Internet 
protocol  (Voice  over  IP).  VoIP  means  that  phone  numbers  are  no  longer  tied  to  an 
individual  handset,  ideal  for  workplaces  where  employees  hot-desk.  Each  person  can  be 
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assigned  a  phone  number,  which  goes  to  the  nearest  phone  whenever  they  log  into  the 
computer  system. 

1.  The  Current  Stage  of  the  NMCI  Implementation 

At  the  time  being,  the  ISF  has  assumed  responsibility  for  a  little  over  300,000 
seats,  with  more  than  160,000  seats  already  moved  to  the  cutover  stage.  Three  network 
operation  centers  are  fully  operational:  San  Diego,  California;  Oahu,  Hawaii;  and 
Norfolk,  Virginia.  A  center  also  is  almost  complete  at  the  U.S.  Marine  Corps  base  in 
Quantico,  Virginia  and  help  desks  are  in  place  in  Norfolk  and  San  Diego.  During  the 
startup  years  of  the  NMCI  program,  challenges  have  surfaced  primarily  in  legacy 
applications  but  also  in  terms  of  change  management.  However,  by  working  in  a  more 
coordinated  manner  with  the  ISF  and  with  the  NMCI  supervising  team  now  more  mature 
and  experienced,  the  DoN  has  employed  some  creative  solutions  to  address  these  issues, 
hence  the  progress  of  the  NMCI  continues. 


NMCI  contract’s  coordinator  EDS  Corp.  announced  with  its  last  dismal  quarterly 
financial  report  that  the  company  never  expects,  up  to  the  seventh  year  of  the  contract,  to 
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realize  a  profit  from  the  multibillion-dollar  project,  and  the  company  is  now  in  a 
relatively  weak  financial  position.  Improving  the  NMCI’s  service  levels  should  be  a  top 
priority  for  EDS,  which  can  receive  significant  financial  rewards  if  85  percent  or  more  of 
NMCI  users  report  that  they  are  satisfied  with  such  items  as  help-desk  responsiveness 
and  network  performance. 

Many  times,  the  EDS’  approach  was  flawed  or  unrealistic,  and  in  dealing  with  the 
entire  Navy  and  Marine  Corps  all  at  once,  the  company  faced  severe  resistance  and  in  the 
majority  of  the  cases  outright  hostility.  Changing  the  paradigm  from  computers  as 
individual  property  to  a  point  of  service  is  a  major  shift,  and  it  has  been  an  issue  that  had 
to  be  addressed  at  every  site.  Each  installation  facility  had  its  own  history  and  culture  that 
resulted  in  a  peculiar  behavior  regardless  of  what  the  DoN  guidelines  were.  EDS  also 
plowed  into  a  thicket  of  legacy  applications.  However,  the  blame  is  not  only  for  the  EDS 
side.  The  biggest  problem  with  NMCI,  which  the  company  won  in  October  2000,  was 
that  neither  EDS  nor  the  Navy  knew  the  full  scope  of  the  challenge. 

The  discovery  of  thousands  of  legacy  applications  on  obsolete  computers  vastly 
complicated  the  project.  Neither  the  DoN  nor  the  vendor  had  any  idea  how  many 
applications  would  have  to  be  dealt  with  and  unfortunately  it  turned  out  to  be  at  the 
100,000  level.  In  order  to  deal  with  the  problem  and  continue  with  the  creation  of  the 
Intranet  a  variety  of  techniques  like  the  “quarantined  seat”  and  “dual  desktops”  approach 
[Note  1]  were  used  as  shown  in  figure  69. 


Figure  69:  The  NMCI  Construction  Zones,  from  Rear  Admiral  Chuck  Munns,  Director  of 
NMCI,  NMCI  Progress  Briefing,  at  the  NMCI  -  Industry  Symposium  17  June  2003 
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Finally,  EDS  may  have  underestimated  Navy  and  Marine  Corps  network 
configurations  complexity  or  undervalued  its  bid  on  purpose,  hoping  to  a  stream  of 
profits  from  the  additional  services  offered  to  the  DoN.  EDS  wouldn’t  be  the  first 
company  to  price  products  on  a  large  project  at  a  loss,  counting  on  customers  to  load  up 
on  expensive  options.  But  the  slow  pace  of  the  NMCI  implementation  resulted  in  very 
few  additional  services  to  be  ordered  by  the  individual  commands  and  the  NMCI  bid 
evaluators  weren’t  fools.  The  DoN  got  a  great  price  on  a  truly  transforming  project  that 
forced  what  the  senior  leadership  believed  was  necessary  changes.  The  SLAs  have 
worked  in  favor  of  DoN  up  to  now  and  the  logical  conclusion  is  that  even  with  the 
various  mishaps  and  inconveniences,  the  Intranet  is  an  extreme  valuable  asset  to  the 
Department,  which  should  be  willing  to  continue  its  business  relationship  with  EDS.  The 
experience  that  EDS  has  already  acquired  through  implementing  and  operating  the  NMCI 
is  the  most  valuable  foundation  for  the  future  NMCI  success.  It  would  take  a  tremendous 
amount  of  time  to  rebuilt  “trustworthy”  relations  with  a  different  vendor,  (who  might  also 
repeat  EDS’  mistakes). 

Both  vendors  and  government  agencies  should  be  realistic  in  pursuing 
outsourcing  and  performance  contracts.  Winning  only  to  lose  isn’t  a  fonnula  for 
sustained  success  on  either  side.  Based  on  the  idea  that  the  NMCI  project  and  the 
associated  benefits  are  extremely  valuable  for  the  DoN,  whatever  the  NMCI’s  ultimate 
outcome,  there’s  a  lesson  here:  There's  a  lot  more  to  service-level  agreements  (SLA)  than 
gathering  metrics  or  monetary  incentives  and  penalties.  There  should  be  a  strong 
involvement  from  the  DoN  personnel  in  the  technology  selection/refresh  of  the  contract. 
Planning  and  continuous  reviews  are  necessary  in  order  to  insure  that  the  NMCI  approach 
is  executed  properly.  At  the  initial  launch  of  NMCI,  there  was  an  over  reliance  on  EDS  to 
deal  with  all  aspects  without  any  strong  support  from  the  DoN.  As  a  buyer  of  services  to 
be  delivered  under  an  SLA,  the  DoN  must  be  as  involved  and  proactive  as  it  would  be 
under  a  normal  service  contract. 

IT  managers  should  consider  when  buying  services  under  an  SLA 
(www.computerworld.com  (How  to  Buy  the  Best  IT  Performance),  accessed  March 
2004): 
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•  Technology  proposed  for  a  project 

•  Measurement  criteria  for  the  SLA 

•  Frequency  of  measurement 

•  Frequency  in  reporting 

•  Request  regular  periodic  reviews 

The  execution  of  the  NMCI  contract  has  proven  a  financial  drain  for  EDS’ 
resources.  There  is  always  the  possibility  that  it  is  the  contractor  not  the  DoN  that  might 
step  away  from  NMCI.  Setting  realistic  SLA  goals  will  go  far  in  achieving  overall 
success.  Making  it  too  easy  usually  means  that  users  or  the  parent  organization  aren’t 
getting  their  money's  worth;  making  it  too  difficult  will  increase  expenses  and  cause 
problems  in  the  relationship  with  the  vendor.  The  data  gathered  from  the  operational 
evaluation  must  be  compiled  with  other  information  that  is  being  collected  and  used  to 
determine  how  to  make  improvements  by  adjusting  the  SLAs  if  necessary. 

The  conclusions  of  the  operational  evaluation  should  be  the  new  basis  to  establish 
a  feasible  SLA  level  that  fully  conforms  to  the  DoN  requirements  and  at  the  same  time 
delivers  value  to  EDS.  Along  the  same  lines;  there  is  also  a  need  to  provide  clarity  in  the 
NMCI  future  budget.  Concerns  over  the  difficulty  of  identifying  the  total  cost  of  the 
NMCI  effort  in  the  DoN  budget  documents  have  been  repeatedly  expressed.  Apart  from 
renegotiating  the  SLAs,  another  possible  solution  for  the  NMCI  future  would  be  to 
provide  additional  finance  by  using  funds  already  allocated  for  older  IT  procurement 
programs  that  the  NMCI  will  supersede.  Renegotiation  the  Voice  and  Video  aspect  of  the 
NMCI  might  also  be  necessary,  because  of  the  delays  involved.  Also  economies  of  scale 
could  be  present  via  reducing  telephony  costs  through  the  VoIP  introduction. 

The  main  idea  of  this  thesis  is  that  that  the  IT  initiative  is  very  close  to  the  point  to 
deliver  the  promised  intangible  benefits  and  added  value  to  the  DoN  enterprise.  If 
necessary,  additional  resources  can  be  allocated  to  further  stabilize  and  improve  the 
operational  state.  NMCI  will  enable  connection  to  the  U.S.  national  infrastructure,  extend 
sharing  and  creation  of  knowledge  and  expertise  worldwide,  and  change  the  way  training 
is  conducted.  On  the  other  hand,  there  still  are  a  significant  number  of  related  activities 
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that  need  to  be  completed  before  enjoying  the  full  NMCI  benefits  and  justifying  the  need 
for  an  increased  budget: 
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Figure  70:  Activities  to  Supplement  the  NMCI,  Rear  Admiral  Chuck  Munns,  U.S.  Navy, 


NMCI  Director,  at  the  SPAWAR  Industry  Day,  San  Diego-USA,  23ld  October  2003 


2.  Cultural  Adjustment  and  the  Legacy  Issue 

It  is  necessary  to  demonstrate  crystal  clear  to  the  end  users  that  the  future  will  be 
better.  Up  to  the  year  2003,  DoN  had  whittled  down  its  100,000  legacy  applications  to 


almost  30,000,  through  a  process  of  eliminating  duplicate  or  obsolete  software.  That’s 
still  not  enough,  when  you  consider  that  the  Marine  Corps  are  now  operating  with  only 
320  legacy  applications. 
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Figure  71:  The  Reduction  of  Legacy  Applications 
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It  is  crucial  to  point  out  the  importance  of  the  legacy  integration.  The  longer  the 
DoN  supports  systems  outside  of  the  NMCI  security  umbrella,  the  longer  a  potential 
malicious  entity  could  take  advantage  by  exploiting  those  vulnerabilities.  So  there's  a  real 
need  for  speed  to  get  everything  inside  the  NMCI  boundaries.  Even  if  everything  is  not 
working  perfectly  in  NMCI,  being  inside  that  security  perimeter  is  the  really  important 
for  security  and  probably  the  only  way  to  significantly  raise  the  defense  levels. 

But  it  is  not  only  necessary  to  remove  applications  logistically  from  the  inventory. 
Based  on  the  results  of  the  FAM  evaluation  that  was  described  in  chapter  three,  effort 
should  be  given  in  order  to  develop  new  applications  in  the  NMCI  setting  to  replace  those 
legacy  ones  that  are  considered  of  extremely  high  value.  The  users  then  will  be  more 
willing  to  embrace  NMCI  if  they  have  tools  necessary  to  do  the  job  and  adequate  training 
is  given.  Instead  of  managing  the  “Legacy  Inventory”  in  a  top  to  bottom  approach,  there 
is  the  solution  to  redesign  and  deploy  the  necessary  applications  within  the  Windows  OS 
environment  of  NMCI,  by  adapting  commercial  available  tools  as  the  basis  of  the 
business  rules  used.  That  means  that  instead  of  conforming  software  to  the  DoN  business 
rules,  there  is  also  the  option  of  slightly  adjusting  the  business  rule  to  conform  to  the 
already  available  applications  of  the  commercial  sector.  Enterprise  Resource  Planning 
(ERP)  could  be  the  best  example  of  this  type  of  activity,  and  the  DoN  should  be 
committed  to  make  the  current  pilot  programs  a  complete  success. 

Another  point  of  interest  is  the  help-desk  function  provided  by  EDS.  It  is  not  only 

necessary  to  improve  the  quality  of  service  by  the  personnel  involved,  but  also  to 

consider  the  user’s  view.  The  user  needs  support  right  now  without  having  to  wait  in  a 

telephone  line.  If  the  majority  of  questions  cannot  be  answered  locally  then  a  highly 

specialized  team  should  be  created  to  deal  with  complicated  tasks.  Even  more  they  will 

be  able  to  take  advantage  of  lessons  learned,  since  statistically  the  same  type  of  problems 

will  happen  again,  and  they  will  have  the  necessary  experience  by  solving  it  the  first 

time.  In  addition  phone  based  or  web  based  automated  guides  should  be  provided  to  the 

user  in  the  form  of  “self-help”,  with  the  option  to  talk  with  help-desk  representatives,  if 

the  user  is  still  facing  a  problem.  What  I  am  suggesting  is  an  organization  of  help-desk 

service  in  a  form  of  multiple  tier,  where  the  central  zone  has  the  talented  people  for  the 

difficult  tasks  and  the  middle  zone  a  high  number  of  operators  to  facilitate  the  large 

135 


number  of  requests,  while  the  automated  voice  or  web  based  systems  in  the  outer  zone 
provide  problem  screening. 

3.  The  Security  and  IA  Aspect 

The  21st  century  presents  new  challenges  for  continued  maritime 
dominance  and  national  security.  We  have  crafted  an  approach  we  call  full 
dimensional  protection.  Joint  Vision  2020  states  that  full  dimensional 
protection  is  achieved  “ through  the  tailored  selection  and  application  of 
multi-layered  active  and  passive  measures.,,  For  the  DON,  that  protection 
takes  three  forms:  (1)  protecting  knowledge  pathways  through  information 
assurance  and  defense  in  depth,  (2)  protecting  our  centers  of  knowledge 
through  critical  infrastructure  protection,  and  (3)  protecting  our  knowledge 
workers  through  efforts  to  protect  individual  privacy. 

David  M.  Wennergren,  DoN  Chief  information  Officer  (DON  CIO) 


From  the  technical  point  of  view,  NMCI  provides  the  DoN  with  enterprise-wide 
continuity  of  operations.  NMCI’s  state-of-the-art  facilities  and  high- availability 
architecture  eliminate  significant  vulnerabilities,  such  as  maintenance-related  outages  and 
single  points  of  failure.  24x7-monitoring  activity  protects  the  Intranet  against  emerging 
threats,  and  business  continuity  planning  aims  to  assure  its  safe  future.  An  analysis  of  the 


NMCI  approach  to  protect  the  preserve  data  and  systems  is  shown  in  figure  72. 
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Figure  72:  The  NMCI  Approach  to  Ensure  Continuity  of  Operations,  from  EDS  Corp. 
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When  each  subordinate  command  had  its  own  network,  many  had  poor  security 
and  some  had  none.  The  NMCI  initiative  is  rooting  out  vulnerabilities  and  provides 
uniform  security  standards.  Although  protecting  all  the  type  of  information  and  data  flow 
can  be  a  challenge,  because  the  NMCI  network  carries  many  types  of  messages  (from 
service  members'  personal  e-mail  messages  to  highly  classified  intelligence  data, 
combating  orders  or  even  wartime  decision-making  videoconferences  among  officials), 
with  the  defense-in-depth  (DiD)  approach  security  protection  mechanisms  are  employed 
in  multiple  locations  within  the  network  architecture.  Through  the  enterprise-wide 
network,  the  Navy  can  conform  to  the  DoD  requirements.  When  a  threat  is  identified,  a 
defensive  measure  can  be  pushed  out  to  the  entire  Intranet  quickly,  via  the  Network 
operations  Centers  (NOCs).  Of  course  a  layered  approach  to  defense  can  always  be 
improved.  For  example,  defense  in  depth  could  mean  layering  link  encryption  over 
network  protocol  encryption,  and  further  layering  it  over  application  layer  encryption. 
Another  example  would  be  to  use  two  different  anti-viral  packages,  one  at  the 
firewall/application  server  and  another  (from  a  different  vendor)  installed  at  the  end-user 
workstation. 

a.  Additional  Efforts  from  the  DoN  Needed 


Defense  In  Depth  for  Technology 


Successful  Mission  Execution 


Figure  73:  A  Breakdown  of  the  Necessary  Component  for  the  Defense  in  Depth  Strategy. 

As  shown  in  figure  73,  there  is  a  very  important  element  within  the  DiD 

strategy  that  is  currently  underestimated,  namely  the  human  factor  contribution.  Apart 

from  the  increased  number  of  qualified  IT  administrators  necessary  to  support  the  secure 

operation  of  the  Intranet,  the  magnitude  of  NMCI  and  the  excessive  number  of  users 

associated  indicate  that  computer  security  training  should  be  included  at  the  Basic 
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Training  Level  for  all  DoN  personnel.  In  order  to  ensure  adequate  security  and  “best 
practices”  behavior  from  the  end  user,  there  is  a  need  to  establish  adequate  training  and 
practice  at  the  very  early  stages  of  building  qualifications.  There  is  the  opportunity  to 
create  the  necessary  “cultural”  foundation  to  promote  effective  safeguards  and  behaviors, 
by  educating  the  end  user  early  enough  and  before  even  allowing  him/her  to  use  the 
DoN’s  IT  systems. 


To  facilitate  IA  responsiveness,  additional  technical  capabilities  are 
required,  including  the  ability  to  observe  and  identify  risks  in  the  NMCI  operational 
environment.  There  is  the  need  to  predict  potential  malicious  activity  and  take  actions  to 
proactively  adapt  the  environment  to  prevent  potential  threats.  If  the  NMCI  is  attacked, 
the  DoN  should  be  able  to  identify  the  attempt  in  real-time  and  prevent  the  malicious 
activity  from  being  successful.  Trace-back  capabilities  to  identify  the  attacker  and  gain 
attribution  of  the  source  of  the  attack  to  a  legal  degree  of  certainty  are  also  necessary.  The 
NMCI  configuration,  because  of  a  climate  of  constant  change  associated  to  dealing  with  a 
variety  of  newly  discovered  or  continuously  evolving  weaknesses,  requires  a  network 
management  system  that  is  flexible,  expandable  and  designed  to  meet  current  and  future 
threats. 
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Figure  74:  Elements  of  Defensive  Information  Warfare  and  Information  Assurance,  from 
Dorothy  E.  Denning,  p.  38 


Internal  network  security  is  still  the  most  pervasive  threat.  After  building  a 
strong  defensive  posture  for  the  external  threat,  the  next  important  element  is  to  deal  with 
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the  insider’s  threat.  As  shown  in  figure  74,  it  is  possible  with  a  combination  of  adequate 
warnings  and  through  introduction  of  a  more  strict  policy  related  to  the  use  of  NMCI 
systems  to  deter  an  insider  user  from  inappropriate  or  insecure  behavior.  Content 
monitoring  is  currently  used  within  the  NMCI  to  ensure  availability  and  proper  usage  of 
government  assets  and  bandwidth,  and  to  provide  another  layer  of  defense.  Now,  more 
than  ever,  striking  the  delicate  balance  between  personal  privacy  and  national  security  is 
a  challenge  and  the  DoN  should  take  aggressive  measures  to  ensure  the  protection  of  the 
NMCI.  There  is  always  the  option  to  allow  preemptive  randomly  monitoring  of  the  end 
user  to  discourage  malicious  internal  activity.  Of  course  this  type  of  monitoring  will  have 
some  negative  impact  to  the  workforce-DoN  relationship  and  an  additional  thesis  is 
needed  to  determine  the  effects  of  declaring  to  the  end  users  that  some  of  them  will  be  the 
subjects  of  monitoring.  The  idea  of  randomly  monitoring  the  activity  of  a  selected  NMCI 
user  establishes  an  approach  similar  to  random  urinalysis,  currently  used  to  prevent  the 
use  of  illegal  drug  by  the  DoD  personnel. 

Spyware  is  a  generic  term  typically  describing  software  whose  purpose  is 
to  collect  demographic  and  usage  information  from  a  computer,  usually  for  advertising 
purposes.  The  term  is  also  used  to  describe  software  that  “sneaks”  onto  the  system  or 
performs  other  activities  hidden  to  the  user.  In  general,  Spyware  is  any  technology  that 
aids  in  gathering  information  about  a  person  or  organization  without  their  knowledge. 
Data  collecting  programs  that  are  installed  with  the  user’s  knowledge  are  not,  properly 
speaking,  Spyware,  if  the  user  fully  understands  what  data  is  being  collected  and  with 
whom  it  is  being  shared.  The  official  statement  placed  on  NMCI  computers  is  as  follow: 

This  is  a  Department  of  Defense  Computer  System.  This  computer  system, 
including  all  related  equipment,  networks,  and  network  devices 
(specifically  including  Internet  access  and  access  to  restricted  sites)  are 
provided  only  for  authorized  U.S.  Government  use.  DoD  computer 
systems  may  be  monitored  for  all  lawful  purposes,  including  to  ensure  that 
their  use  is  authorized,  for  management  of  the  system,  to  facilitate 
protection  against  unauthorized  access,  and  to  verify  security  procedures, 
survivability,  and  operational  security.  Monitoring  includes  active  attacks 
by  authorized  DoD  entities  to  test  or  verify  the  security  of  this  system. 

During  monitoring,  information  may  be  examined,  recorded,  copied  and 
used  for  authorized  purposes.  All  information,  including  personal 
information,  placed  or  sent  over  this  system  may  be  monitored.  Use  of  this 
DoD  computer  system,  authorized  or  unauthorized,  constitutes  consent  to 

139 


monitoring  of  this  system.  Unauthorized  use  may  subject  you  to  criminal 
prosecution.  Evidence  of  unauthorized  use  collected  during  monitoring 
may  be  used  for  administrative,  criminal,  or  other  adverse  action.  Use  of 
this  system  constitutes  consent  to  monitoring  for  these  purposes. 

Although  the  current  official  statement  is  also  sufficient,  a  possible 
solution  in  order  to  reflect  the  new  policy  of  “Preemptive  Monitoring”  is  to  change  the 
warnings  for  the  end  -user  to  read: 

This  is  a  Department  of  Defense  Computer  System.  This  computer  system, 
including  all  related  equipment,  networks,  and  network  devices 
(specifically  including  Internet  access  and  access  to  restricted  sites)  are 
provided  only  for  authorized  U.S.  Government  use,  AS  DESCRIBED  IN 
XXXXXXXXXX.  DoD  computer  systems  ARE  RANDOMLY  monitored 
for  all  lawful  purposes,  including  to  ensure  that  their  use  is  authorized,  for 
management  of  the  system,  to  facilitate  protection  against  unauthorized 
access,  and  to  verify  security  procedures,  survivability,  and  operational 
security.  Monitoring  includes  active  attacks  by  authorized  DoD  entities  to 
test  or  verily  the  security  of  this  system.  ALL  USERS  ARE  REMINDED 
THAT  THEY  SHOULD  HAVE  NO  EXPECTATION  OF  PRIVACY  IN 
THEIR  USE  OF  GOVERNMENT  INFORMATION  SYSTEMS.  USE  OF 
GOVERNMENT  INFORMATION  SYSTEMS,  INCLUDING  USE  OF 
THE  INTERNET  AND  E-MAIL,  IS  SUBJECT  TO  MONITORING, 
INTERCEPTION,  ACCESSING  AND  RECORDING.  During  monitoring, 
information  may  be  copied  and  used  for  ALL  authorized  purposes.  All 
information,  including  personal  information,  placed  or  sent  over  this 
system  may  be  monitored.  Use  of  this  DoD  computer  system,  authorized 
or  unauthorized,  constitutes  consent  to  monitoring  of  this  system. 
Unauthorized  use  may  RESULT  IN  DISCIPLINERY  ACTION  BY  DOD 
AND  MAY  BE  PASSED  TO  LAW  ENFORCEMENT  subjectING  you  to 
criminal  prosecution,  IF  APPLICABLE.  Evidence  of  unauthorized  use 
collected  during  monitoring  may  be  used  for  administrative,  criminal,  or 
other  adverse  action.  Use  of  this  system  constitutes  consent  to  monitoring 
for  these  purposes. 

b.  Efforts  Needed  from  Actors  outside  the  DoN  Influence 

In  the  beginning  of  year  2004,  Microsoft  Corp.,  which  provides  the  OS 
and  a  large  variety  of  applications  within  the  “Gold  Disk”,  released  its  first  monthly 
security  update,  following  a  new  schedule  that  attempts  to  ease  the  load  on  overburdened 
system  administrators.  The  software  giant's  move  to  a  monthly  from  a  primarily  weekly 
patch  release  schedule  is  a  major  change  for  system  administrators  bogged  down  by  a  to- 
do  list  of  fixes  to  apply  to  Windows  computers.  The  software  giant  believed  that  the  new 
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schedule  would  help  administrators  deal  with  the  workload.  However,  on  the  2nd  of 
February  2004,  Microsoft  broke  its  once-a-month  schedule  to  fix  a  critical  flaw  in 
Internet  Explorer  that  could  allow  malicious  coders  to  take  control  of  an  unwary  user's 
PC.  (www.ncws.com  (Microsoft  releases  early  IE  fix)  accessed  February  2004)  This 
action  alone  is  the  obvious  proof  that  the  patching  activity  is  not  working  and  enforcing  a 
more  organized  introduction  of  delivering  software  code  is  necessary  for  the  safeguard  of 
IT  systems. 

Active  Computer  Network  Defense: 

Both  Developers  and  Operators  are  Critical  Players 
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Figure  75:  Components  of  CND 

The  components  necessary  to  create  a  secure  network  are  described  in 
Figure  75  In  order  to  fully  “secure”  NMCI,  there  is  a  need  to  stress  that  software  should 
be  designed  to  be  secure.  Until  now,  Microsoft's  efforts  have  largely  centered  on 
improving  the  way  it  writes  its  code  and  then  fixing  holes  as  they  emerge.  However, 
recent  worm  and  virus  attacks  have  repeatedly  shown  that  many  customers  remain 
vulnerable  long  after  patches  have  been  released.  The  software  giant  is  already 
committed  to  deliver  more  secure  products  and  has  launch  its  “trustworthy  computing 
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initiative”  with  the  goal  to  deliver  the  level  of  trust  and  responsibility  that  is  expected 
from  the  computing  industry:  security,  privacy,  reliability,  and  business  integrity.  EDS  as 
a  business  partner  with  the  power  of  administering  3.3  million  desktops  and  related 
software  licenses  worldwide  has  a  significant  interest  to  use  more  secure  products  and 
should  welcome  the  delivery  of  a  better  quality  product  from  Microsoft. 

4.  More  Technical  Challenges  to  Come 

More  technical  challenges  for  NMCI  lay  ahead.  Under  the  DoD  new  policies,  all 
IT  acquisitions  in  support  of  the  Global  Infonnation  Grid  (GIG)  must  be  IPv6-compatible 
starting  October  1,  of  the  fiscal  2004.  Improved  end-to-end  network  security  will  be  one 
of  the  major  benefits  of  the  DoD’s  planned  shift  to  the  “next  generation”  Internet 
technology  known  as  Internet  protocol  version  6  (IPv6).  DoD  Chief  Information  Officer 
John  Stenbit  announced  in  June  2003  that  the  department  would  upgrade  to  the  new 
version  of  the  Internet  by  the  end  of  fiscal  2008. 

With  IPv6,  the  sender  of  information  could  decide  to  classify  it  in  a  certain  way, 
allowing  a  receiver  to  decode  the  data  only  if  he  or  she  has  the  proper  encryption 
capacity.  Such  authentication  is  optional  under  IPv4,  but  it  is  a  vital  part  of  IPv6.  The 
Internet  Engineering  Task  Force  (IETF)  designed  IPv6  security  to  provide  a  uniform 
method  of  security  across  all  applications  and  systems  by  implementing  authentication 
with  the  IP  security  protocol.  IP  security  protocol  enables  authentication  at  the  network 
layer,  layer  3,  of  the  open  systems  interconnection  (OSI)  model  for  computer  networks. 
The  network  layer  is  lower  than  the  transport  layer,  layer  4,  where  much  of  the 
encryption  for  solutions  such  as  secure  hypertext  transfer  protocol  (SHTTP),  secure  shell 
(SSH),  and  secure  socket  layer  (SSL)  occurs. 

The  military  services  and  other  DoD  components  must  set  up  IPv6  addresses  and 
naming  conventions  with  the  assistance  of  the  Defense  Information  Systems  Agency 
(DISA)  by  the  end  of  the  year.  Major  infonnation  technology  manufacturers,  such  as 
Microsoft  and  Cisco  Systems,  already  manufacture  equipment  and  software  compatible 
with  both  IPv4  and  IPv6.  Stenbit  identified  the  major  reasons  for  the  commercial 
transition  to  IPv6  as  a  shortage  of  IP  addresses,  quality  of  Internet  service,  and  security. 
IPv6  replaces  the  32-bit  addresses  of  IPv4  with  128-bit  addresses,  creating  a  nearly 

limitless  range  of  address  combinations  rather  than  the  few  billion  permitted  by  IPv4.  The 
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increase  in  addresses  is  also  designed  to  assist  with  the  deployment  of  wireless  devices. 
(Mickey  McCarter,  article:  “Internet  Shift  Boosts  Network  Security”,  -Military 
Information  Technology,  1st  of  September  2003) 

The  Ipv6  introduction  and  technical  challenges  topic  was  selected  to  demonstrate 
that  NMCI  would  be  an  evolving  entity  and  will  also  involve  dealing  with  a  series  of 
technical  challenges  in  the  years  to  come.  Careful  planning  in  advance  is  necessary  with 
extensive  analysis  of  risks  involved.  The  high  value  of  this  DoN  IT  asset  indicates  that 
the  current  managing  team  should  be  allocated  a  more  extended  timeframe  in  the  same 
position,  in  order  to  take  full  advantage  of  their  experiences. 

B.  NAVAL  POSTGRADUATE  SCHOOL  (NPS)  AND  NMCI 

The  Naval  Postgraduate  School  (NPS)  mission  underscores  the  importance  of 
advanced  education  and  research  to  the  future  security  of  the  U.S.  and  the  world. 
Advanced  education  and  research  in  the  21st  century  is  rooted  in  and  enhanced  by  IT 
functionality  as  an  enabling  tool  for  scientific  discovery,  learning,  and  communication. 
Every  goal  and  strategy  defined  in  the  NPS  mission  is  dependent  either  directly  or 
indirectly  on  IT.  At  the  time  this  thesis  was  near  completion,  it  was  made  known  to  the 
public  that  NPS  would  join  the  NMCI  soon. 

The  NPS  Information  Technology  Strategic  Plan  for  the  year  2003  raises  serious 
concerns  over  the  NMCI: 

•  The  academic  environment  is  based  on  experimentation,  testing,  and 
development  of  new  operating  systems,  software,  and  middleware.  This 
requires  putting  things  on  the  university  network  that  would  violate  NMCI 
integrity. 

•  Academic  work  is  fundamentally  based  on  peer  review  and  collaborative 
work.  As  a  result,  NPS  faculty  and  students  engage  in  research  projects 
with  other  universities,  research  centers  and  laboratories  and  access 
databases  and  research  sources  that  would  undermine  NMCI  standards. 

As  already  discussed,  NMCI  is  a  top  to  bottom  approach  to  enforce  uniform 
standards  and  create  a  centralized  control  mechanism  for  the  acquisition  and  support  of 

IT  systems.  NMCI  introduction  has  improved  the  operational  performance  of  many 
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facilities  ashore;  however  the  migration  towards  NMCI  is  a  very  delicate  procedure 
involving  many  risks.  To  begin  with,  NPS  is  at  the  highest  level  of  IT  functionality 
among  the  DoN.  NPS  is  already  operating  its  “private”  NOC  and  the  current  very  high 
level  of  IT  support  is  far  above  the  average.  NPS  students  are  already  IT  aware  when  they 
begin  their  studies,  and  they  expect  their  expertise  to  increase  significantly  as  a  result  of 
their  post-graduate  education,  therefore  necessitating  a  superior  IT  support.  Remote 
access  from  off-campus  housing  must  also  be  considered  within  any  discussion  of 
network  infrastructure  and  joining  the  NMCI.  Faculty  members  at  NPS  are  involved  with 
research  and  educational  programs  that  require  advanced  networking  infrastructure, 
sophisticated  user  support,  and  access  to  high  performance  computing.  NPS  operates  with 
clear  and  concise  IT  policies  and  procedures  that  support  an  uninterrupted  operational 
state  of  the  NPS’  Intranet  and  the  introduction  of  a  solely  “educational”  network  is 
included  in  the  strategic  plans  for  the  future. 

No  matter  that  the  NMCI  offers  many  economies  of  scale  in  terms  of 
maintenance  and  technology  refresh  or  software  license  acquisition  and  the  opportunity 
to  upgrade  the  infrastructure,  by  being  a  member  of  an  “equal  capabilities”  initiative, 
there  is  always  the  danger  that  the  end  result  for  NPS  will  be  to  deliver  inferior  IT 
services.  NPS  has  a  different  type  of  mission  when  compared  with  other  ashore 
installations.  Also,  there  are  issues  relating  to  supercomputing  access  and  support.  The 
Defense  Research  and  Engineering  Network  (DREN)  provides  adequate  service  for  DoD 
connectivity,  but  it  suffers  slowdowns  and  inefficiencies  in  connectivity  to  the 
commercial  Internet.  This  creates  problems  for  the  NPS  mission,  as  expanded  capacity 
and  speed  are  an  immediate  strategic  priority.  A  main  point  of  concern  is  that  NPS  is  a 
research  facility  with  a  need  to  use  Internet  2.  [Note  2] 

There  should  be  extensive  planning  in  advance  in  order  to  determine  which 

activities  the  NMCI  infrastructure  will  support  and  which  of  those  that  will  remain  in  the 

previous  state  of  IT  operation.  Additionally  NPS  must  not  only  deal  with  the  “legacy 

issue”,  but  with  the  software  it  produces.  Under  the  NMCI  umbrella,  new  software 

production  is  a  security  issue,  requiring  a  very  time  consuming  and  complex  procedure  to 

evaluate  software  applications  for  security  problems.  A  possible  solution  could  be  to 

separate  the  IT  support  into  two  different  segments:  One  will  be  supporting  the  Academic 
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and  Research  activities  and  the  second  separate  network  will  be  supporting  the 
Administrative  Tasks.  However,  the  NPS  functionality  includes  a  plethora  of  “Special 
User”  groups  that  were  often  excluded  from  the  original  NMCI  approach.  An  opportunity 
for  a  series  of  research  activities  is  present  to  address  all  the  issues  related  to  the  NPS  IT 
future,  which  should  be  considered  urgent  and  of  great  importance.  Risk  reduction 
techniques  and  every  alternative  option  should  be  examined  before  the  final  decision  for 
the  NPS  migration  to  the  NMCI  is  made. 

C.  ENDNOTES 

1 .  Quarantined:  Preserve  the  previous  state  of  desktop  configurations  even  if 
the  whole  site  was  declared  operational  within  NMCI. 

Dual  Desktop:  Use  of  one  desktop  with  NMCI  standard  configuration  and 
a  second  one  for  the  same  user  to  support  functionality  that  was  NMCI  incompatible  or  a 
potential  security  threat. 

2.  Internet2  is  a  consortium  being  led  by  205  universities  working  in 
partnership  with  industry  and  government  to  develop  and  deploy  advanced  network 
applications  and  technologies,  accelerating  the  creation  of  tomorrow's  Internet.  Intemet2 
is  not  a  separate  physical  network  and  will  not  replace  the  Internet.  Internet2  brings 
together  institutions  and  resources  from  academia,  industry  and  government  to  develop 
new  technologies  and  capabilities  that  can  then  be  deployed  in  the  global  Internet.  Close 
collaboration  with  Internet2  corporate  members  will  ensure  that  new  applications  and 
technologies  are  rapidly  deployed  throughout  the  Internet.  Just  as  email  and  the  World 
Wide  Web  are  legacies  of  earlier  investments  in  academic  and  federal  research  networks, 
the  legacy  of  Internet2  will  be  to  expand  the  possibilities  of  the  broader  Internet.  The 
purpose  is  to:  Iwww.internet2.edu  (About  Intemet2)  accessed  March  2004) 

•  Create  a  leading  edge  network  capability  for  the  national  research 
community 

•  Enable  revolutionary  Internet  applications 

•  Ensure  the  rapid  transfer  of  new  network  services  and  applications  to  the 
broader  Internet  community. 
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budget)  accessed  February  2004. 

16.  www.mit-kmi.com  (NMCI:  Now  for  the  Networks)  accessed  February 
2004. 

17.  www.msdinc.com  accessed  February  2004. 

18.  www.tyckometrics.com  accessed  February  2004. 

19.  www.fcw.com  (Navy,  EDS  to  refine  performance  metrics)  accessed 
March  2004. 

20.  www.cisco.com  (Products)  accessed  March  2004. 
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22.  www.computerworld.com  (How  to  Buy  the  Best  IT  Performance) 
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February  2004. 
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8.  EDS  Corp.:  Profits  Review  for  the  year  2003. 
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APPENDIX  A 


NMCI  CONTRACT  LINE  ITEM  NUMBERS  (CLINS) 


CLIN 

Description 

Last  Posted 

0001AA 

Fixed  Work  Station,  Red 

Nov  13,2003 

0001AB 

Fixed  Work  Station,  White 

Nov  13,2003 

0001AC 

Fixed  Work  Station,  Blue 

Nov  13,2003 

0001AD 

Fixed  Work  Station,  Thin  Client 

Aug  4,  2003 

0001AE 

Remote  User  Credit  (Moved  to  CLIN  004105) 

Feb  19,  2003 

0001AF 

Fixed  Workstation,  Classified  Thin  Client 

Dec  15,  2003 

0002AA 

Portable  Seat 

Nov  13,2003 

0002AB 

Ultra-Lightweight  Portable  Seat 

Nov  13,2003 

0003AA 

Embarkable  Work  Station,  Full  Service 

Nov  13,2002 

0003AB 

Embarkable  Work  Station,  Limited  Service 

Mar  26,  2002 

0004AA 

Embarkable  Portable  Seat,  Full  Service 

Dec  15,  2003 

0004AB 

Embarkable  Portable  Seat,  Limited  Service 

Mar  26,  2002 

0004AC 

Non-Ruggedized  Deployable  Portable 

Nov  13,2003 

0005AA 

Basic  Flybrid  Seat 

Nov  13,2003 

0005AB 

Enhanced  Flybrid  Seat 

Nov  13,2003 

0005AC 

Reserved 

Jan  16,  2002 

0005AD 

Personal  Access  Package  -  100%  Concurrent  Use 

Aug  12, 2002 

0005AE 

Personal  Access  Package  -  30%  Concurrent  Use 

Aug  21,  2002 

0006 

Additional  Standard  Wall  Plug  Service 

May  21,  2003 

0006AA 

Additional  Standard  Wall  Plug  Service 

May  21,  2003 

0006AB 

Unclassified  Wall  Plug  -  Service  Only 

May  21,  2003 
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0006AC 

0006AD 

0006AE 

0006AF 

0006AG 

0006AH 

0006AJ 

0006AK 

0007 

0007 

0007 

0007 

0007 

0008AA 

0008AB 

0009AA 

0009AB 

0009AC 

0009AD 

0009AE 

0009 AF 

0009AG 


Classified  Wall  Plug  -  Service  Only 
Unclassified  Wall  Plug 

Classified  Wall  Plug  -  Inside  a  Controlled  Access  Area 
Classified  Wall  Plug  -  Outside  a  Controlled  Access  Area 
Project  Wall  Plug 

Switch  Port  -  Low  Bandwidth  Service 

Switch  Port  -  High  Bandwidth  Service 

Sub-Device  IP  Address  Management  Service 

High-End  Upgrade  Packages 

For  CLIN  0001AA  Fixed  Workstation  Red 

For  CLIN  0002AA  &  0002AB  Portable 

For  CLIN  0003AA  Full  Service  Embarkable 

For  CLIN  0004AA  Full  Service  Embarkable  Portable 

Mission-Critical  Upgrade  Package  -  Single  Connection 

Mission-Critical  Upgrade  Package  -  Dual  Connection 

Classified  Connectivity  Upgrade  Package 

Switchable  Classified  Connectivity  (Thin  Client  Solution) 

Switchable  Classified  Connectivity  (Dual  CPU  Solution) 

Re-Bootable  Classified  Connectivity  Upgrade  Package 

Switchable  Classified  Connectivity  Upgrade  Package 

(Dual  CPU  Solution/White) 

Switchable  Classified  Connectivity  Upgrade  Package 

(Dual  CPU  Solution/Blue) 

Switchable  Classified  Connectivity  Upgrade  Package 

(Dual  CPU  Solution/Portable) 


May  21,  2003 
May  27,  2003 
May  27,  2003 
May  27,  2003 
Nov  4,  2003 
Sep  22,  2003 
Sep  22,  2003 
Sep  22,  2003 
N/A 

Nov  13,2003 
Nov  13,2003 
Nov  13,2002 
Dec  12,  2001 
May  21,  2003 
May  23,  2003 
Apr  22,  2003 
Oct  22,  2003 
Mar  26,  2002 
Mar  6,  2002 
Mar  26,  2002 

Mar  26,  2002 

Mar  26,  2002 
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0009AH 

001 OAA 

0010AB 

0010AC 

0010AD 

0010AE 

0010AF 

0010AG 

0011 

0012 

0013 

0014 

0015 

0015AA 

001 5  AB 

0015AC 

0015AD 

001 6  AA 

0016AB 

0016AC 

001 6  AD 

0017 

0018 


Switchable  Classified  Connectivity  Upgrade  Package 
(Dual  CPU  Solution  /  Non-Ruggedized  Deployable 
Portable) 

Basic  Voice  Seat 
Business  Voice  Upgrade  Package 
Mission-Critical  Voice  Seat  Upgrade  Package 
Pier  Voice  Line 
Pier  Voice  Trunk 
Commercial  Voice  Seat 
Commercial  Voice  Connectivity 
Secure  Voice  Seat 
Mobile  Phone  Seat 
Personal  Paging  Service  Seat 
Fixed  Video  Teleconference  Seat 
Moveable  Video  Teleconference  Seat 
Basic  Moveable  VTC  Seat 
High-End  Moveable  VTC  Seat 
Mission-Critical  Moveable  VTC  Seat 
Premium  Moveable  VTC  Seat 
Additional  File  Share  Services  -  Unclassified  (10Gb) 
Additional  File  Share  Services  -  Classified  (10Gb) 

Email  Storage  -  Unclassified  (25Mb) 

Additional  Email  Storage  -  Classified  (25MB) 
Internet  Access  for  Mobile  Phone  Seat 
Classified  Remote  Access  Service 


Jul  24,  2002 


Dec  4,  2000 
Dec  4,  2000 
Apr  9,  2001 
Dec  4,  2000 
Dec  4,  2000 
Dec  4,  2000 
Dec  4,  2000 
Dec  4,  2000 
Dec  4,  2000 
Jul  24,  2002 
Nov  4,  2003 
Dec  4,  2000 
May  22,  2002 
May  22,  2002 
Dec  4,  2000 
May  22,  2002 
May  21,  2003 
May  21,  2003 
Aug  1,  2003 
May  21,  2003 
Dec  4,  2000 
Mar  26,  2002 
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0019 

Reserved 

Jul  2,  2000 

0020 

Data  Seat  Voice  Communications  Upgrade 

Apr  9,  2001 

0021 

Defense  Messaging  System  Data  Seat  Upgrade 

Mar  6,  2002 

0022AA 

Basic  Desktop  VTC 

Aug  1,  2003 

0022AB 

High-End  Desktop  VTC 

Aug  1,  2003 

0023 

Optional  User  Capabilities 

Nov  03,  2003 

0024 

Additional  Non-Classified  Account 

Apr  9,  2001 

0025 

Additional  Classified  Account 

Apr  9,  2001 

0026 

Additional  Moves,  Adds,  Changes 

May  21,  2003 

0026AA 

Additional  Moves,  Adds,  Changes 

Jun  26,  2003 

0026AB 

Physical  MAC  Group  of  50 

Jun  26,  2003 

0026AC 

Physical  MAC  -  Group  of  250 

Jun  26,  2003 

0026AD 

COI  MAC 

Jun  26,  2003 

0026AE 

Voice  Moves,  Adds,  and  Changes 

Sep  22,  2003 

0026AF 

VTC  Moves,  Adds,  and  Changes 

Jan  5,  2001 

0026AG 

Annual  Administrative  MAC 

May  21,  2003 

0026AH 

Annual  Physical  MAC 

May  21,  2003 

0026AJ 

Annual  Physical  MAC  (Needing  a  Wall  Plug) 

May  21,  2003 

0026AK 

Annual  Embarkable  MAC 

May  21,  2003 

0026AL 

Administrative  MAC  (Single) 

Jun  26,  2003 

0026AM 

Physical  MAC  (Single) 

Jun  26,  2003 

0026AN 

Embarkable  MAC  (Single) 

Jun  26,  2003 

0026AP 

Project  MAC  (Single) 

Nov  4,  2003 

0027AA 

Standard  Low  Bandwidth  Application 

May  21,  2003 
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0027AB 

Standard  Medium  Bandwidth  Application 

May  21,  2003 

0027AC 

Standard  High  Bandwidth  Application 

May  21,  2003 

0027AD 

Mission-Critical  Low  Bandwidth  Application 

Dec  4,  2000 

0027AE 

Mission-Critical  Medium  Bandwidth 

Application 

Feb  6,  2001 

0027AF 

Mission-Critical  High  Bandwidth  Application 

Dec  4,  2000 

0027AG 

Legacy  Application  Server  Connection 

Jun  26,  2003 

0028 

Data  Warehousing 

Nov  4,  2003 

0029 

Legacy  Systems  Support 

Nov  4,  2003 

0030 

Network  Operations  Display 

Jan  16,  2002 

0031 

Military  Personnel  Core  Competency 

Development  (Sea-Shore  Rotation  and  Operating 

Forces/Supporting  Establishment  Rotations) 

Jan  25,  2002 

0032 

External  Network  Interface 

Nov  4,  2003 

0033 

Information  Technology/Knowledge 

Management  Retraining  Program 

Feb  6,  2001 

0034 

Satellite  Terminal  Support 

Nov  4,  2003 

0036 

OCONUS  Service 

Jun  6,  2003 

0038AA 

Developer  Fixed  Workstation  Upgrade 

Jan  16,  2002 

0038AB 

Developer  Portable  Workstation  Upgrade 

Mar  26,  2002 

0038AC 

S&T  Terminal  Services 

Sep  22,  2003 

0038AD 

S&T  Fast  Ethernet  Wall  Plug 

Jan  16,  2002 

0038AE 

S&T  Wall  Plug  Service  -  Modified  Gigabit 

Ethernet  Network  Transport-Lots  of  4 

Jan  16,  2002 

0038AF 

S&T  Wall  Plug  Service  -  Modified  Gigabit 

Ethernet  Network  Transport-Lots  of  8 

Jan  16,  2002 
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0038AG 

S&T  Wall  Plug  Service  -  Modified  Gigabit 

Ethernet  Network  Transport-Lots  of  16 

Jan  16,  2002 

0038AH 

S&T  Network  Transport  -  Other 

Nov  4,  2003 

004101 

Desktop  Support 

Feb  19,  2003 

004102 

Desktop  Refresh 

Feb  19,  2003 

004103 

Desktop  Refresh  With  NMCI  Gold  Disk  Software 

Feb  19,  2003 

004104 

Assumption  of  Responsibility 

Feb  19,  2003 

004105 

Remote  User  Credit 

Feb  19,  2003 

004106 

Remote  User  Credit  (Japan) 

Jun  6,  2003 

0043 

Asbestos  Material  Abatement 

Aug  1,  2003 

0044 

Department  of  Defense  Mentor-Protege  Program 

(0044AA  -  0044 AF) 

Dec  23,  2003 

Table  A:  List  of  CLINs  Related  with  the  NMCI  Contract,  (www.nmci-isf.com  (Services 
and  Contract  Line  Item  Number  (CLIN)),  accessed  February  2004) 
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APPENDIX  B 


NMCI  SERVICE  LEVEL  AGREEMENTS  (SLA) 


Service  Level  Measurement 


SLA  Category 


SLA  1:  Desktop  Hardware  and  Operating  System 

Installation  Accuracy  99.5%  <90.0%  >90.0%  >95.0%  99  5% 

<  95  0%  <99  5% 


-2 

-1 

0 

+1 

+2 

+4 

Availability 

99.7% 

Problem  Resolution 

2 

Business 

Days 

>  99.5% 


>  99.7% 


SLA  2:  Standard  Office  Automation  Software 


Installation  Accuracy  199.5%  <90  0%  l>  90.0% 


Software  Currency 


Interoperability 


SLA  3:  E-Mail  Services 


Availability 


Problem  Resolution  1  Hour 


Performance  of  E- 
Mail  Transfer 


Interoperability  Within  1 

Day 


SLA  4:  Directory  Services 

Availability  99.5% 


99.5%  <  90  0%  >  90.0%  >  95.0%  99  5% 

<  95.0%  <  99  5% 


>  99.5% 


Responsiveness  - 
Network  Connected 


Responsiveness  •  Dial 
In 


Timeliness  of  Directory 
Updates 


Accuracy  of  <5%  of 

Global/Local  On-Line  Users 
Directory 


Interoperability  Within  1 

Day 


2  Seconds 


>2<4 

Seconds 


>20  <30  20 Seconds  <20>15  <15  >10  <10 

Seconds  Seconds  Seconds  Seconds 


Within  4 

Hours 

99.9% 


>5%  of  5  %  of 
Users  Users 


1  Day  IWithin  1  Day 


Service  Level  Measurement 


SLA  Category 


SLA  5:  File  Shared  Services 

Availability  to  99.5%  <90.0% 

Required  Users 


Data  Integrity 

.05% 

Time  to  Recover  Lost 
Files 

95.0% 
One  Day 

Shared  File 

Performance  -  Network 

2 

Seconds 

Shared  File 

Performance  -  Dial  In 

30 

Seconds 

SLA  6:  Web  Access  Services 


Availability 


Performance  of 

NMCI  Web  Access 

15 

Seconds 

Interoperability 

Within  1 
Day 

SLA  7:  Newsgroup  Services 


Availability 

99.5% 

Interoperability 

95.0% 

Performance 

90.0% 

Interoperability 

Within  1 
Day 

SLA  8:  Deleted 


SLA  9:  Print  Services 


Availability 


<  95.0%  <  99  5% 


>  05% 


>4<  10 
Seconds 


>  40  <  50 


<  90  0% 


>  95.0% 
<  99  5% 


>  15 

Seconds 


<90  0%  >90.0% 
<  95.0% 


SLA  10:  NMCI  Intranet  Performance 


<90  0%  >90  0% 
<  95.0% 


Availability 

99.8% 

Latency/Packet  Loss 

70-100 

ms 

Interoperability 

Within  1 
Day 

Problem  Resolution 

30 

Minutes'3 

Hours 

>  99.5% 


<  95  0%  95  0%  One  >  95.0% 

One  Day  Day  One  Day 


2  Seconds 


30Seconds  < 30 >.25  <25>15  <15 

Seconds  Seconds  Seconds 


>  99.5% 


15  <15 

Seconds  Seconds 


Within  1  Day 


>  95.0% 

<  99  5% 

99  5% 

<  95  0% 

95  0% 

<  90  0% 

90  0% 

>  1  Day 

Within  1  Day 

>  95.0% 
<  99  5% 


>  95.0% 
<  99  8% 


>  100  ms 


70-100  ms  <  70  ms 


Within  1  Day 


30 

Minutes/3 

Hours 


<30 

Minutes/3 

Hours 


SLA  11:  NIPRNET  Access 


\ Availability  99.5% 


<  90  0%  >  90  0% 
<  95.0% 


>  95.0% 
<  99  5% 
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Service  Level  Measurement 


SLA  Category 

Latency/Packet  Loss 

30  ms/ 

1% 

Interoperability 

Within  1 
Day 

SLA  12:  Internet  Access 

Availability 

98.0% 

Interoperability 

Within  1 
Day 

30ms/1%  <30 

ms/1% 


>  1  Day  Within  1  Day 


<  95.0% 


>  1  Day  Within  1  Day 


SLA  13:  Mainframe  Services  Access 

Availability  99.5%  <90.0%  >90.0%  >  95.0%  99  5% 

<  95.0%  <  99  5% 


-  99.5  ■ 


Interoperability 


Within  1 
Day 


>  1  Day  Within  1  Day 


<  4  Hours 


SLA  14:  Desktop  Access  to  Government  Applications 


Availability  99.5%  <  90.0%  >  90.0%  >  95.0%  99.5% 

<95.0%  <  99  5% 


Interoperability 


Within  1 
Day 


SLA  15:  Moves,  Adds  and  Changes 


Responsiveness 


Incidence  of  Repeat  2% 
Calls 


Performance 


SLA  16:  Software  Distribution  and  Upgrades 

Upgrade  Backouts  £3.0%  ] 


>  6  Days  < 

8  Days 

6  Days 

>2% 

2% 

<  96% 

96% 

Upgrade  Currency 

98% 

Patches  Currency 

98% 

SLA  17:  User  Training 


Security  Training  95.0% 
Execution 


User  Training 
Execution 


>30% 

3% 

<3.0% 

<  98% 

98% 

>  98  % 

<  98% 

98% 

>98% 

<  95.0% 

95  0% 

>  95.0% 

<  95% 

95% 

>95% 

<  80% 

80% 

>80% 

<  80  0% 

80.0% 

>  80.0% 

Quality 


SLA  18:  Unclassified  Remote  Access 


Availability  99.5%  <90.0%  >90.0%  >95.0%  99  5% 

<  95  0%  <  99  5% 
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SLA  Category 


Capacity 


Interoperability  Within  1 
Day 


SLA  19:  Classified  (Secure)  Remote  Access 


Service  Level  Measurement 


-2 


-1 

0 

<300% 

30.0% 

>  1  Day 

Within  1  Day 

Availability 

>  99  5% 

Capacity 

30.0% 

Interoperability 

Within  1 
Day 

<  95  0%  <  99  5% 


<300% 


SLA  20:  Portable  Workstation  Wireless  Dial  In 


Mean  time  to 

98% 

repair/replace  for 

Within  3 

hardware 

Business 

components 

Days 

SLA  20A:  Organizational  Messaging  Service 


Availability 

99.50% 

Problem  Resolution 

1  Hour 

Interoperability 

Within  1 
Day 

<  4  Hours 


>  99.5% 


>30.0% 


vV  '.11111  '  Da/ 


<  4  Hours 


>  98% 
Within  3 
Business 
Days 


>  1  Hour  1  Hour  <  45 

Minutes 


>  1  Day  Within  1  Day 


>  99.5% 


<  4  Hours 


SLA  21:  Desktop  Video  teleconference  Services 


Availability  99.50%  <90% 


>  99.5% 


Audio  and  Video 
Quality  (Integrity) 


System  Performance  70.00%  <  60% 


15  Frames/  >  15 

sec  Frames/ 


Gateway  Capacity  80% 


Interoperability  Within  1 
Day 


Reliability  of  Session  85% 
Initiation 


SLA  22:  Voice  Communications 


Availability 


Dial  Tone  Delay 


<  80%  80% 


>  1  Day  Within  1  Day 


<  75%  <  85%  >  85% 

75% 


encounter 
delay  >  3 
Seconds 


>  95.0% 

<  99  99% 

99  99% 

>15%  of 
calls  offered 
encounter 
delay  >  3 
seconds 

Not  more 
than  1 .5% 
calls  offered 
encounter 
delay  >  3 
Seconds 

<  4  Hours 


>  99.99% 
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SLA  Category 

im 

Grade  of  Service  -End 
User  to  End  User  Calls 

P.05 

Grade  of  Service  -End 
User  to  External 
Networks 

P.01 

Latency 

120  MS 

Delay  Vanation/Jitter 

60  MS 

Trouble  Repair  Times 

24  Hours 

Operator  Assisted 
Calling 

<2 

Minutes 

Absolute  Echo  Path 
Delay 

<  25  MS 

Interoperability 

Within  1 
Day 

Service  Level  Measurement 


-2 


SLA  23:  Basic  Help  Desk  Services 


Responsiveness 
(Time  to  Answer  Call) 

Prime 

Time 

Average 

<_40 

Seconds 

Responsiveness  (% 
of  Calls  Abandoned) 

<  7.0% 

Responsiveness 

(General 

Administration) 

1day/2hr 

s 

95.0% 

Responsiveness  (% 
of  Call  Resolved  on 
First  Contact) 

65.0% 

Responsiveness 
(Notification  of 
Unplanned  Service 
Outage) 

Within  15 
Minutes 

-1 

0 

P  >  .05 

P.05 

P  >  .01 

P.01 

>  120  MS 

120  MS 

>60  MS 

60  MS 

>  24  Hours 
<  48  Hours 

24  Hours 

>  2  Minutes 

2  Minutes 

>25  MS 

25  MS 

>  1  Day 

Within  1  Day 

SLA  24:  WAN  Network  Connectivity 


Availability  (WAN 
Connectivity) 

99.99% 

%  Bandwidth  Used 

40.0% 

Problem  Resolution 
(Response  Time) 

30 

Minutes/ 
3  hours 

Interoperability 

Within  1 
Day 

>  95.0% 

<  99.99% 

99  99% 

>40  0% 

40.0% 

>30 

Minutes  < 
45  Minutes 

30 

Minutes/3 

hours 

>  1  Day 

Within  1  Day 

>  99.99% 


SLA  25:  BAN/LAN  Communications  Services 


Availability  99.9%  <90  0%  >90.0%  >95.0%  99  99% 

<  95.0%  <  99  9% 


>  10  ms  10  ms  <  10  ms 


Availability 

99.9% 

Latency 

10  ms 
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Service  Level  Measurement 

SLA  Category 

Metric 

(SPM) 

-4 

-2 

-1 

0 

+1 

+2 

+4 

%  Bandwidth 
Utilization  on  Shared 
Network  Segments 

40.0% 

>40.0% 

40.0% 

<  40.0% 

Problem  Resolution 

30 

Minutes'3 

Hours 

>(60 

Minutes/6 

Hours) 

>(30 
Minutes/3 
Hours)  £(60 
Minutes/6 
Hours) 

30 

Minutes/3 

Hours 

<30 

17  rutes/3 
Hours 

Interoperability 

Within  1 
Day 

>  1  Day 

Within  1  Day 

<  4  Hours 

SLA  26:  Movable  VTC  Seat 

Availability 

99.50% 

<  90% 

>  90.0%  < 
95% 

>95  0%  < 
99.5% 

99.5% 

>  99.5% 

Video  Quality 

128 

Kbps/15 

fps 

<128 

Kbps/1 5 
fps 

128 

Kbps/15 

fps 

>  128 
Kbps/1 5 
fps 

Gateway  Capacity 

95% 

<  95% 

95% 

>  95% 

Multipoint  Capacity 

85% 

<  85% 

85% 

>  85% 

Reliability  of  Session 
Initiation 

85%'95% 

<  85%/95% 

85%/95% 

> 

85%/95% 

Interoperability 

Within  1 
Day 

>  1  Day 

Within  1  Day 

<  4  Hours 

SLA  26A :  Proxy  and  Caching  Service 

Availability 

99.50% 

<  90% 

>  90.0%  < 
95% 

>95.0%  < 
99.5% 

99.50% 

>  99  5% 

Average  Hit  Ratio 

40.00% 

<  40% 

40% 

>40% 

Interoperability 

Within  1 
Day 

>  1  Day 

Within  1  Day 

<  4  Hours 

SLA  27:  External  Networks 

Availability 

99.5% 

<  90.0% 

>  90.0% 

<  95.0% 

>  95.0% 

<  99  5% 

99  5% 

>  99.5% 

Implementation  Time 

<6 

Working 

Days 

>  10 

Working 

Days 

>6 

Working 
Days£  10 
Working 
Days 

6  Working 
Days 

<6 

Working 

Days 

Problem  Resolution 

1  Hour/3 
Hours 

>  (2 

Hours/6 

Hours) 

>  (1  Hour/3 
Hours)  <  (2 
Hours/6 
Hours) 

1  Hour/3 
Hours 

<301 

Hour/3 

Hours 

Interoperability 

Within  1 
Day 

>  1  Day 

Within  1  Day 

<  4  Hours 

SLA  28:  Network  Management  Services  (Asset  Management) 

Time  to  Implement 
Asset  (% 

Implemented  Within 

5  Days) 

85.0% 

<  70.0% 

>700% 

<  80  0% 

>80  0% 

<  85  0% 

<  85% 

>85% 

<.92% 

>  92.0% 
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SLA  Category  Metric 
_ (SPM) 

Time  to  Remove  25 
Asset  Business 

Days 


Service  Level  Measurement 


>25  25  <25 

Business  Business  Business 

Days  Days  Days 


<  85.0%  >  85.0%  98% 


SLA  29:  Operational  Support  Services 


100% 


Data  Back-up  recovery  99.9%  <  90% 

and  Archiving 

Effectiveness 


Data  Base  Audits  and  99.9% 

Maintenance 

effectiveness 


SLA  30:  Capacity  Planning 

SLA  31:  System  Services  - 

Domain  Name  Server 

Availability  > 

<  90  0%  >  90.0% 

>  95.0%  99.7% 

>99.7% 

99.7% 

<  95.0% 

<  99  7% 

Latency 


<  100ms 


100ms  1 100ms  RlOOms 


SLA  32:  Application  Server  Connectivity 


>  90.0%  >  95.0% 

<  95  0%  <  99.5% 


Availability 

99.5% 

Implementation  Time 

<  5 

Workin 
g  Days 

MTTR  Backbone  to 
Server  Netv/ork 
Segment 

<6 

Hours 

SLA  32A:  Network  Operations  Display 


Availability  99.5%  <99.5%  99.5% 


SLA  33:  NMCI  Security  Operational  Services-Gencral 


>  99.5% 


Accreditation 

85.0% 

Security  Integrity  - 
Third  Part  Physical 
Inspections- 
Unclassified 

95.0% 

Secunty  Integrity  - 
Third  Part  Physical 
Inspections-Classified 

99  0% 

Secunty  Integrity  - 
Security  Measures- 
Unclassified 

02% 

Secunty  Integrity  - 
Security  Measures- 
Classified 

0.1% 

<  85% 

85.0% 

>85% 

<  95% 

95.0% 

>  95% 

<  99% 

99.0% 

>99% 

>2% 

0.2% 

<  .2% 

>.1% 

0.1% 

<.1% 

SLA  Category 


Service  Level  Measurement 


-2  -1 


SLA  34:  Information  Assurance  Operational  Services-PKI 


Certificate  Revocation-  1  Hour 
Unclassified 


Certificate  Revocation-  30 
Classified  Minutes 


Ability  of  one  NMCI  5 
user  to  obtain  the  DOD  Minutes 
public  key  infrastructure  99  7% 

X  509  certificate  of  Unclassifi 
another  NMCI  user  for  ed 
purpose  of  sending 
electronic  mail- 
Unclassified 


Ability  of  one  NMCI 
user  to  obtain  the  DOD 
public  key  infrastructure 
X  509  certificate  of 
another  NMCI  user  for 
purpose  of  sending 
electronic  mail- 
Classified. 


User  Registration  for 
DOD  public  Key 
Infrastructure  within 
NMCI-Unclassified 

Unclassifi 

ed 


User  Registration  for 
DOD  public  Key 
Infrastructure  within 
NMCI-Classified 


Minutes 


>2  Minutes.  2  Minutes  <2 

99.9%  99.9%  Minutes. 

99.9% 


85%  1 

Week.  100% 
2  Weeks 


85%  1 

Week.  100% 
2  Weeks 


NMCI-Classified  Weeks 
Classified 


Interoperability  Within  1 

Day 


SLA  35:  Information  Assurance  Operational  Services-SIPRNET 


1  Day  Within  1  Day 


Interoperability 

Within  1 
Day 

SIPRNET  Access 
Availability 

98  0% 

Interoperability 

Within  1 
Day 

>  1  Day 

Within  1  Day 

<  98% 

98.0% 

>  1  Day 

Within  1  Day 

<  4  Hours 


<  4  Hours 


<  4  Hours 


SLA  36:  Information  Assurance  Planning  Services 


Security  Incident 
Reporting  Unclassified 

1  Week 

Security  Incident 
Reporting  Classified 

1  Day 

Security  Incident 
Response  Unclassified 

1  Day 

>  1  Week 

1  Week 

<=  3  Days 

>  1  Day 

1  Day 

<=  4  Hours 

>  1  Day 

1  Day 

<=  4  Hours 
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Service  Level  Measurement  | 

SLA  Category 

102231 

-4 

-2 

-1 

0 

+1 

+2 

+4 

Security  Incident 
Response  Classified 

1  Day 

>  1  Day 

1  Day 

<=  4  Hours 

Security  Product 

Refresh  -  Unclassified 

6  Months 

<  6  Months 

6  Months 

>  6  Months 

Security  Product 

Refresh  -  Classified 

6  Months 

<  6  Months 

6  Months 

>  6  Months 

Security  Vulnerability 
Remediation  - 
Unclassified 

1  Day 

>  1  Day 

1  Day 

<=  4  Hours 

Security  Vulnerability 
Remediation  - 
Classified 

1  Day 

>  1  Day 

1  Day 

<=  4  Hours 

SLA  36A:  Integrated  Configuration  Management 

SLA  36B:  Integration  and  Testing 

Time  to  Configure 

Asset 

4  Days 

>  4  Days 

4  Days 

<  4  Days 

SLA  36C:  Technology  Refresh  [ 

Workstation 

Refreshment 

36 

Months 

>  36  months 

36  months 

Refreshment  Timeliness 

85% 

<  65% 

>  75%  < 
65% 

<  85%  > 

75% 

85% 

>  85%  < 
90% 

>  90%  < 
95% 

>  95% 

Average  Relative 
Performance  of 
Refreshment 
Workstations 

75% 

<  65% 

=>  65%  < 
70% 

=>  70%  < 
75% 

75% 

>90% 

Table  B:  Monitoring  Performance  Criteria  and  SLAs,  from  the  NMCI  REVISED  contract 
N00024-00-D-6000,  6  Oct  2003,  p.120-127 


167 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


168 


APPENDIX  C 


NMCI’S  “GOLD  DISK”  REVISION  HISTORY 


Revision  History 


Version 

Date  Posted  to 
Web 

Item 

Revision 

1.0 

03/01/02 

MS  Office  Suite 

Old:  MS  Office  Pro  2000  SR-la 

New:  Standard  Office  Automation  Software 
Included  on  the  Gold  Disk 

MS  Word 

MS  Excel 

MS  PowerPoint 

MS  Access 

2.0 

9/19/02 

Operating  System 

Old:  MS  Windows  2000  Build  2195  SP1 

New:  MS  Windows  2000  Build  2195 
SP2/SRP1 

Internet  Browser 

Old:  Internet  Explorer  MS  5.5  SP-1  128  bit 
New:  Internet  Explorer  MS  5.5  SP-2  128  bit 

PDF  Viewer 

Old:  Acrobat  Reader  v.4.05c 

New:  Acrobat  Reader  v.  5.05 

Terminal  Emulator 

Old:  Reflection  8.0.5 

New:  Reflection  8.0.5  -  Web  Launch  Utility 

Compression  Tool 

Old:  WinZip  v8 

New:  WinZip  v8.1 

Multimedia 

Old:  Windows  Media  Player  v7.00.1956 

New:  Windows  Media  Player 
v7.01. 00.3055 

Electronic  Records 
Management 

Old:  Trim  Captura  v4.3* 

New:  N/A 

Web  Controls 

Old:  Apple  QuickTime  Movie  and  Audio 
Viewer  v4. 12 

New:  Apple  QuickTime  Movie  and  Audio 
Viewer  v5.0 

Software  Management 

Old:  Radia  Client  Connect 

New:  Radia  Client  Connect  v2.1 

Dial-Up  Connectivity 

Old:  PAL 

New:  PAL  v4. 1.1. 306 

VPN 

Old:  VPN  Client 

New:  VPN  Client  v3.0 

3.0 

1/23/03 

Electronic  Records 
Management 

Old:  N/A 

New:  Trim  Context 
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Version 

Date  Posted  to 
Web 

Item 

Revision 

4.0 

2/19/03 

Dial  Up  Connectivity 

Old:  PAL  v4, 1.1. 306 

New:  PAL  v4.3 

VPN 

Old:  VPN  Client  v3.0 

New:  VPN  Client  v4.1 

5.0 

4/9/03 

Security 

Old:  Intruder  Alert  3.5 

New:  Intruder  Alert  v3.6 

6.0 

6/2/03 

Operating  System 

Old:  MS  Windows  2000  Build  2195  SP2/SRP1 

New:  MS  Windows  2000  SP3 

Desktop  Management 

Old:  N/A 

New:  Diskeeper  7.0413 

Executive  Software 

Security 

Old:  Intruder  Alert  v3.6 

Axent 

New:  Intruder  Alert  v3.6 

Symantecc 

Security 

Old:  ESM  v5.1 

Axent 

New:  ESM  v5.1 

Symantec 

7.0 

12/15/03 

Multimedia 

Old:  Windows  Media  Player  v7.01. 00.3055 

New:  Windows  Media  Player  v9 

Table  C:  “Golden  Disk”  Revision  History,  from  www.nmci-isf.com  (Golden  Disk 
Contents),  updated  on  the  15th  of  December  2003,  accessed  February  2004 


170 


APPENDIX  D 


NMCI  PERFORMANCE  MEASUREMENT  METRICS 


SLA 

0 

SERVICE  NAME 

SI  KV  1C  1 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERV 

POINTS 

BUN  KX 
LEVELS 

PERFORMAM  h 
CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERV  ICE 
PERFORMANCE 
LEVEL 

1%  of  Satisfaction) 

•.it  iui 

m  HW  aud  OS 

V-prov  DT  HW 
and  OS 

1  \d  A  For  <B,  HE. 
MC),  Emb  For. 

B.HE.MC 

Installation  Accuracy 

Percentage  of  HW  or  OS 
mstalbtions/  upgrades 
successful  on  fust  use 

Monthly 

(1) 0.995 

(2) 0.995 
<3)0.995 

Availability 

Basic  DT.  including  HW  and 

OS.  is  up  and  capable  of 
running  SW  amis 

Monthly 

(1) 0.997 

(2) 0.997 
<3)0.999 

Froblein  Resolution 

Elapsed  time  from  outage  until 

DT  HW  and  OS  are  restored  to 
noimal  operating  perfonnance 

Continuous 

monitoring,  reported 
monthly 

(1)  1  bus  day 

(2)  1  bus  day 

1)4  hours 

Problem  Resolution 
(Remote  Users  Only ) 

Elapsed  time  from  outage  until 
DT  HW  and  OS  are  restored  to 
normal  operating  perfonnance 

Continuous 
monitoring,  reported 
monthly 

(1) 2  bus  day  s 

(2)  2  bus  day  s 
(3 1 4  hours 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  1* 

yr.  yearly  thereafter 

(1) 0.85 

(2) 0.85 
<3)085 

1*102 

Standard  Office 
Automation  SW 

V-prov  standard 
1)1  integrated 

SW 

Fxd  A  Por  (B.  HE. 
MC).  Emb.  Emb  Por. 
Hybrid 

B.  HE.  MC 

Installation  Accuracy 

Percentage  of  OA  SW 
mstalkilioin/  upgrades 
successful  on  fust  use 

Monthly 

(1) 0.995 

(2) 0.995 
<3|0  995 

SW  Cumaicv 

OS  SW  currency  relative  to 
industry  standaids(OSSW 
standard  across  the  enterprise). 

Quarterly 

(1) <=lyr  and/or  2 
versions 

(2) <=lyrand/or2 
vetsions 

<3)<=lyr  and/or  2 
versions 

Interoperability 

Tull  interoperability  and 
seamless  interface  both  within 
NMCI  and  to  external 
customers. 

Measured 
continuously . 
suminan/ed  daily . 
icported  monthly,  or 
when  plan  threshold 
value  exceeded. 

(1)  within  1  day 

(2)  within  1  day 

(3)  witlun  4  hours 

Customer  SatisTaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  1“ 

y  r.  yearly  thereafter 

(1) 0.85 

(2) 0.85 
<3)0.85 

0003 

E-mail  Service* 

V-prov  sves  for 
e-mail  and 
multimedia  e- 
mail 

attachments. 

1  \d  &  For  i  II.  HE. 

Me  >.  Emb,  Emb  Por, 
Hybrid 

B.  HE.  MC 

Availability 

Portion  of  umc  V-prov  e-mail 
server  lias  up  time 

Measured 
continuously . 
summon/ ed  daily, 
icported  monthly 

(1) 0995 

(2) 0.995 

(3) 0.997 

SLA 

0 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORM  AM  E 
CATEGORIES 

PERFORMANCE 

MEASURED 

FKLQl  t.NCV 
MEASUREMENT 

sun  h  e 

PERFORMANCE 

LEVEL 

f/.  of  Satisfaction) 

Problem  Resolution 

Elapsed  time  from  outage  until 
sve  is  restored  to  noimal 
operating  performance 

Continuous 
monitoring,  reported 
monthly 

)  1  hour 
<2)  1  hour 
<3)30  minutes 

Performance  of  E-mail 
Transfer 

Avg.  time  V-pto  e-mail  system 
keeps  message  in  tlieu  sy  stem 
(a)  before  depositing  in  user  s 
mailbox  (on  server)  for 
incoming  mail  and  <b)  before 
delivering  to  Internet  or  other 
NMCI  domain  for  outgoing 
mad 

Annual 

(1)  <=5  minutes 

(2)  <=5  minutes 

(3)  <=5  minutes 

Interoperability 

l  ull  interoperability  and 
seamless  interface  w  itliin 

NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily  , 
icported  monthly,  or 
when  plan  Uvcsliold 
value  exceeded 

(1)  witlun  1  day 

(2)  witlun  1  day 

(3)  witlun  4  hours 

Customer  Satisfaction 

Lev  el  of  customer  satisfaction. 

Initial:  b  mos  for  1* 

yr.  yearly  thereafter 

(1)0.85 

<2)0.85 

<3)0.85 

0004 

Directory  Services 

V-mamtained 

global 

mfoimation  sves 
delivciuig 
distnbuted 
computer  apps 
across  the 

NMCI 

Fxd  A  Por  (B,  HE, 
MC).  Emb,  Emb  Por. 
Hybrid.  Voice.  Video 

B.  HE.  MC 

Availability 

SDP  accessibility  to  NCMI 
global  information  sves. 

Measured 
continuously . 
summarued  daily . 
icported  monthly 

(1)0.995 

<2)0.995 

<3)0.997 

Responsiveness  - 
network  connected 

1  ime  it  takes  to  seaic h  on-lme 
directory  info  for  LAN -attached 
end- user  within  NMCI  domain. 

Monthly 

(l)<=2  seconds 
<2)<=2  seconds 

D<=2  seconds 

Responsiveness  - 
Dial-in 

1  ime  it  takes  to  search  on-lme 
directory  info  for  dial-m- 
attachcd  end-user  within  NMCI 
domain. 

Monthly 

)<=20  seconds 
<2)<=20  seconds 
<  3)  <=2U  seconds 
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SLA 

» 

SERVICE  NAME 

SERVILE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

UXVKX 

LEVELS 

PERFORMANt  f 
CATEGORIES 

PERFORMANCE 

MEASURED 

FRI.QU.MV 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

t'/iofSatlsfnctbnl 

Timeliness  of 

Directory  Updates 

Responsiveness  and 
completeness  of  data  ui  on-line 
directory  resources  add. 
change,  or  delete  to  indiv  idual 
directory  info  reflected  within 
four  hours  99.9%  of  time. 

Monthly 

(ll  within  4  tioum. 

.999 

(2l  wilhin  4  houn. 

.999 

(5)  within  4  horns. 

999 

Accuracy  of 

Global/Local  On-line 
Directory 

Maintain  directory  accuracy 
acro»  NMl'l  uifrastructure. 
Excludes  any  inaccuracies  due 
to  updates  that  may  not  be 
under  the  control  of  the  vendor 

Monthly 

<=.001  of  urers 
(2)  <=  001  of  users 
(5)  <=  OLII  of  was 

Interoperability 

Requires  full  interoperability 
and  seamless  interface  both 
within  NMl'l  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
reported  monthly,  or 
when  plan  threshold 
value  exceeded 

(1)  within  1  day 

(2)  witlun  1  day 
(5)  within  4  hours 

l  ustomei  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  not  for  1“ 
yr.  yearly  thereafter 

(1) 0.85 

(2) 0.85 
(5)0.85 

(KKI5 

File  Sluiied  SoVK.es 

V-prov  aid  user 
access  to  sluic'd, 
controlled  access 
storage  media 

FxdAPorfB.HE, 
MCf  Emb.  Emit  P«, 
Hybrid 

B.  HE.  MC 

Availability  to 

Requited  Users 

Availability  of  ted  file  fWi 

Measured 
continuously, 
summarized  daily, 
reported  monthly 

(1) 0.995 

(2) 0.995 
(5)0.997 

File  Share  Duta 

Integrity 

Number  of  unrecoverable  data 
lost  incidents  per  month  to  user 
ratio. 

Monthlv  at  icpuitcd 
to  HD 

(1) OjOOOS 

(2) 0.0005 
(5)0.0005 

1  ime  to  kecovei  Lost 
Files 

Pcguis  with  notification  to  help 

desk,  thiough  completion  of  tile 
restoration 

Monthly 

(ll  Idas  .95 
(2)1  dan  .95 
(5)  4  hoots  98 

Shared  File 

Pefformanee  - 
Networi 

Time  to  retrieve  or  post  1  MR 
file  for  LAN-altacbed  user 

Monthly 

(1)2  seconds 
(2 1 2  seconds 
(3)  2  seconds 

Shared  File 

Performance  -  Dial-iu 

Time  to  retrieve  or  post  100  KB 
file  for  dial-in  user 

Monthly 

(1) 50  seconds 

(2)  50  seconds 
(5)50  seconds 

SLA 

H 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

siKvm 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

PKBQUENCY 

MEASUREMENT 

SUVICI 

PERFORMANCE 

LEVEL 

(%of  Satisfaction) 

(.  uslomei  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  1* 

yr.  yearly  thereafter 

(1) 0.85 

(2) 0.85 
<3)085 

(1006 

Web  Access  Services 

V-prov  erui  user 
access  k>  in- 

house  and 
external  web 

content 

Fxd&  Por  <B,  HE. 
MC).  Einb.  Einb  Poc. 
Hybrid 

B.  HE.  MC 

Availability 

Web  server  availability  to 
customer 

Measured 
continuously, 
summarized  daily  , 
reported  monthly 

(1) 0.995 

(2)  0.995 

(3) 0.997 

Performance  of  NMC 1 
Web  Process 

Avg.  tune  to  access  NMCI-site 
to  maintain  requued  level  per 
user  requirements  change 

Monthly 

<l)<=  15  seconds 

(2) <=  10  seconds 

(3)  <=  5  seconds 

Interoperability 

Requires  full  interoperability 

and  seamless  interface  both 
withui  NMl'l  and  to  external 
customers. 

Meusurcd 
continuously, 
summarized  daily, 
icpuricd  monthly .  or 
when  plan  threshold 
value  exceeded 

1 1  >  within  1  day 

(2)  within  1  day 

(3)  withmd  hours 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  1* 

yr.  yearly  thereafter 

(1) 085 

(2) 0.85 

(3) 085 

0007 

Newsgroup  Services 

V-piuv  access  to 
public  and 
pnvate 
newsgroup* 

FxdA  PoriB.  HE. 
MCI  Emb,  Emb  Por. 
Hybrid 

B,  HE,  MC 

Availability 

Newsgtoup  sves  availability  for 
account  holders. 

Measured 
continuously . 
summarized  daily, 
reported  monthlv 

(1) 0.995 

(2) 0.995 

(3) 0.997 

Interoperability 

Interoperability  successes  for 

newsgroup  sves. 

Monthly 

(1) 0.95 

(2) 0.975 

(3) 0.983 

Performance 

Successful  vs.  total  transfer 

trials  to  newsgroups 

Monthly 

(1) 0.90 

(2) 0.95 

(3) 0.99 

Interoperability 

Requires  full  interoperability 

and  seamless  interface  both 
within  NMC1  and  to  external 

customers. 

Meusurcd 

continuously, 
summarized  daily , 
reported  monthlv .  or 
when  plan  llueslvold 
v  alue  exceeded 

1 1 )  within  1  day 

(2)  within  1  day 

:  i.l  i  1 1.  .i 
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SLA 

SERVICE  NAME 

SLR  Vic  L 
DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

8UVKX 

l.L\  ELS 

PERFORMA.M L 
CATEGORIES 

PERFORMANCE 

MEASURED 

FRLQl I  NI  V 
MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

<%of  Sathfactlanl 

Customei  Satisfaction 

Separately  queried,  analyzed, 
and  reported  capability . 

Quarterly 

(1) 0.85 

(2) 0.85 
<3)0.85 

•  If  HJS 

DHL 

ETC 

D 

Multimedia 
Capabilities  Services 

(KHJ9 

Print  Services 

V-supplkd  end 
user  ability  to 
produce  hard 
copies. 

Fxd  &  For  (B.  HE, 
MC),  Emb.  Emb  Por 

H.  HE.  MC 

Availability 

Printer  up  time. 

Measured 
continuously . 
summarized  daily, 
icporled  monthlv 

(1) 0905 

(2) 0.995 

(3) 0.997 

Accessibility 

Supporting  pt  niter  located 
w  ithui  SO  feet  of  all  supported 
WS& 

Acceptance  of 
mstulialions 

(»Y« 

(2)  Ye 
<51  Ye 

Average  Density 

Avg.  number  of  users  per 

NMCI  printer,  not  to  exceed  20 
iavn  <  or  =  10». 

Acceptance  of 
installations 

d)Ye 
(2)  Ye 
<3<Ye 

Customer  Satisfaction 

Level  of  customer  satisfac  tion. 

Initial:  b  mos  for  1" 

yr.  yearly  thereafter 

(1) 0.85 

(2) 0.85 
<3)0.85 

mo 

NMC1  Intranet 
Performance 

External  u>  base 
combined  tve 
level  for 
networking  of 
voice,  video,  or 
data  viaNMCI 
Intranet 

Kd&  1'ariB.HE. 

MC  ).  hmh.  1  mb  For, 
Hybrid 

B,  HE.  MC 

Availability 

Connectivity  across  NMC1. 

Measured 
periodically . 
suinman/ed  hourly, 
reported  daily 

(1) 0.998 

(2) 0.998 

(3) 0.998 

Latency  and  Packet 

Loss 

Packet  latency  across  Internet 
to  other  NMCT  sites  and 
commercial  sites. 

Measured  every  5 
minutes,  reported 
monthlv 

(l)7D>IOOfluKlJO% 

<2 1 70-100  msfcl.0% 

<3i  7ti-l  00  ms*  1.0% 

Interoperability 

Requires  full  inteiopetubilitv 
and  manta  mterface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
reported  monthly,  or 
when  plan  ilueslvold 
value  exceeded 

IT  )  within  1  day 

(2)  within  1  da\ 

(3)  within  4  hours 

SLA 

0 

SERVICE  NAME 

SERVK  E 
DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SKKN  ICE 
LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQl ENCY 
MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%  of  Satisfaction! 

Problem  Resolution 

Elapsed  lime  from  outage  until 
service  is  restored  to  normal 
operating  pertinimmcc 

Continuous 
monitoring,  reported 
monthly 

)  30  miiiutcs/3 
hours 

(2)  15  minutes/ 1  hour 

(3)  3  mmuics'Tn 
minutes 

Customer  Satisfaction 

User  satisfaction  of  latency  of 
network  apps.  inteioperability 
(reachability  I  to  DON  and  Dol) 
sites. 

Quarterly 

(1  >0.&5 

(2) 0.85 

(3) 0.85 

0011 

NIPRNET  Access 

Lnd  unci  poult  of 
entry  for  voice, 
video,  or  data 

lloi.C  111’..' 

NIPRNET' 

MC).  Emb.  lunb  Poc. 
Hybrid.  Voice,  and 
seats 

w  'cla»itied  oution. 

B,  HE,  MC 

Availability 

NIPRNET  connectivity 

Measured 
continuously . 
.summarized  daily, 
reported  monthly 

(1)0.995 

<2)09^5 

(3)0.998 

Latency  and  Packet 

Loss 

Packet  latency  actus*  Intranet 
to  other  NMCT  sites  and 
commercial  sites. 

Continuously 
monitored,  reported 
monthlv 

(1) 30mK1.0N 

(2) 30ms/<l.0)4 

(3) 30ms«1.0% 

Interoperability 

Requires  full  interoperability 
and  seamless  interlace  both 
w  ithui  NMCT  and  to  external 
customers. 

Measured 
continuously . 
summarized  daily, 
leported  monthly .  or 
when  plan  threshold 
value  exceeded 

(1)  within  (day 

(2)  within  1  day 

(3)  withm  4  hours 

Customer  Satisfaction 

User  satisfaction  of  latency  and 
network  apps.  inteioperability 
(  reachability  l  to  DON  and  Do!) 
sites 

Quarterly 

(1) 0  85 

(2) 085 

(3) 085 

0012 

Internet  Access 

End  user  point  of 
entry  for  voice, 
video,  or  data 
device  into 
internet 

Fxd&  PoriB,  HE. 

MC ).  1  nib.  Emb  Por. 
Hybrid 

B.  HE.  MC 

Availability 

Internet  connectivity  . 

Measured 
continuously, 
summarized  daily, 
icporled  monthly 

(1)0.980 

<2)0.980 

<3)0.996 

Inter  opeiabtlity 

Requires  full  inteioperability 
and  seamless  interface  both 
within  NMCT  and  to  external 
customers. 

Measured 
continuously . 
summarized  daily, 
icporled  monthly,  or 
when  plan  threshold 
value  exceeded 

(1 1  within  1  day 
<2 1  within  1  day 
(3)  within  4  hours 
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SLA 

# 

SERVICE  NAME 

SLR  VIC  L 
DESCRIPTION 

APPLICABLE 
SERV  K1 
DELIVERY 
POINTS 

SERV  Id 
LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FRLQl  EM  ^ 
MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%  of  Satisfaction) 

Customer  Satisfaction 

User  satisfaction  of  latency  and 
network  apps.  inteiopeiability 
i  reachability )  to  DON  and  DoD 
sites 

Quarterly 

(1) 0.85 

(2) 015 

(3) 015 

0013 

Mainframe  Sci\ kcs 
Access 

V-prov  access  to 
nuiui  frame  data 
and  apps. 

M  t  to  iB,  ®, 
MCk  Emb.  Emb  Por. 
Hybrid 

B,  HE.  MC 

Availability 

Required  mainframe 
applications  and  dutu  access. 

Measured 
continuously, 
summarized  daily, 
reported  monthly 

(1) 0.995 

(2) 0.995 

(3) 0.997 

Interoperability 

Requires  full  interoperability 
and  seamless  interface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
reported  monthly,  or 
w  hen  plan  threshold 
v  alue  exceeded 

(1)  within  1  day 

(2)  within  1  day 

(3)  within  4  hours 

Customer  Satisfaction 

Performance  to  support  mission 

requirements  (end  user 
satisfaction  level  > 

Baseline  survey 
followed  by  amiual 
surveys 

(1) 0.85 

(2) 015 

(3) 085 

(1014 

Desktop  Access  to 
( >u\  eminent  Apps 

V-prov  desktop 
access  to 

Government 
sy  stems  and 
apps. 

Fxd&  Por  (B,HE. 

MC  k  Emb,  limb  Por. 
Hybrid 

B.HE.MC 

Availability 

Full  functionality  of  system/app 
at  end  user  's  desktop. 

Monthly  reports  on 
the  system/ 
application 
availability 

(1) 0995 

(2) 0.995 

(3) 0.997 

Interoperability 

Requires  full  interoperability 
and  seamless  interface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
reported  monthly,  or 
when  plan  threshold 
value  exceeded 

(1 1  within  1  day 

(2)  within  1  day 

(3)  within  4  hours 

Customer  Satisfaction 

Perfoimance  to  support  mission 
requirements  (end  user 
satisfaction  level:- 

Baseline  survey 
followed  by  aiuiual 
surveys 

<1)0.85 

<2)0.85 

(310.85 

(KII5 

Moves.  Adds,  and 
Changes 

V-prov  MACs  as 
specified  in  SOO 

Fxd(B,  HILMCX 

Emb.  Emb  Por 

B.HE.MC 

Responsiveness 

Tune  to  complete  from  initial 
notification  to  helpdesk 

Each  occurrence 

(1) <=6days 

(2) <=5days 
<3)<=2davs 

Government 

Operational  Direction 

1  tine  to  complete  from  initial 
notification  to  helpdesk. 

Each  occurrence 

0) 

(2) 

(3)  <=1  hour 

su 

# 

SERV  ICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 
Lt\  ELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(•/.of  Satisfaction) 

Incidents  of  Repeat 

Calls 

Percentage  of  repeat  calls  to 

.IC.||  did.  i:  I..I.IC  v  mi  -1', 

requested  MACs. 

Each  occurrence 

<1)2% 

<2)2% 

(3)2% 

Performance 

Percentage  of  work  done  at 
scheduled  time. 

Each  occurrence 

(1)0.96 

<2)0.96 

(3)0.98 

Cuslomei  Satisfaction 

Lev  el  of  customer  satisfaction. 

Initial  6  mos  for  I* 
yr,  yearly  thereafter 

(1)0.85 

<2)0.85 

<3)085 

0016 

Software  Distribution 
and  Upgrades 

V-prov  sve  to 
distribute  SW  to 
SDPsand 
appropriate 

NMCI 

infrastructure. 

Fxd&  PoriB,  HE. 
MCk  Emb.  Emb  Por. 
Hybrid 

B.HE.MC 

Upgrade  Backouts 

Attributed  to  SW  upgrades 
performed  via  network  svesto  a 
whole  local  domain  not 
previously  scheduled. 

Monthly 

<  1 )  <0.03 

(2)  <0.03 

(3)  <0,03 

Upgrades  Cunency 

Number  of  installed  SW 
releases  that  are  at  least  equal 
to  or  current  to  most  current 

SW  release 

Monthly 

(1) 0.980 

(2) 0.980 

(3) 0.980 

Patches  C  urrency 

Number  of  released  patches 
installed  div  ided  by  number  of 
patches  available 

Monthly 

<1)0.080 

<2)0.080 

<3)0.080 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  1* 

yr.  yearly  thereafter 

<1)085 

<2)0.85 

(31085 

(1017 

User  Training 

Scope  and 
elTectivenessof 
user  and  security 
traiuinit. 

All  end  users 

All 

Security  Training 

formal  naming  (Ur.  mm  per 

year). 

Tracked 
continuously, 
reported  monthly 

(1) 0.95 

(2) 0.98 

(3)  1.00 

User  Training 
Availability 

PropoitMMi  of  population 
del  li  ed  requiring  i.  n  i- 
,  p  M  -.i  do h  feu  ben  received 
naming. 

Tracked 

continuously, 
reported  monthly 

<1)0.80 

<2)0.00 

<3)0.05 

Quality 

Evaluation  of  courses 
conducted  w  ithm  30  day  s  after 
couise  completion. 

Tracked 
continuously, 
reported  monthly 

(1)0.80 

<2)0.80 

(3)0.80 

0018 

Unclassified  Remote 
Access 

Lnd  user  remote 
access  to  NMCI 

Por.  Emb  Por 

B.  HE.  MC 

Availability 

RAS  availability  of  NMCI 
mfiastiucture  via  dial-ui 

Monthly 

(1) 0.995 

(2) 0.995 
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su 

# 

SERVICE  NAME 

SLR Vll  L 
DESCRIPTION 

APPLICABLE 

SERVICE 

DEUVON 

POINTS 

SERVICE 
LL\  ELS 

PERFORM ANC  L 
CATEGORIES 

PERFORMANCE 

MEASURED 

FREQl INC  V 
MEASl  REMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%of  Satlvfactlun) 

Jala  netwoik  via 
dial-up  link 

capability. 

(3)0.995 

Capacity 

RAS  connectivity  surge 
capacity  available  beyond 
normal  peak  load 

Monthly 

(1) 0.3 

(2) 0-3 

0>OJ 

Inteiopeiability 

Requires  full  interoperability 
and  seamless  interlace  both 
withui  NMCI  and  to  external 
customers. 

Meusured 
continuously . 
summarized  daily, 
leporled  monthly,  or 
when  plan  threshold 
v  nine  exceeded 

(It  within  1  day 

2  within  1  day 

:  O.ll  I  I  in  ll- 

Customei  Satisfaction 

Level  of  c  ustomer  satisfac  tion. 

Initial.  6  mos  for  1* 

yr  yearly  thereafter 

(1) 0.85 

(2) 0.85 
<3)0.85 

0019 

Clarified  Remote 
Access 

End  user  remote 
access  to  NMCI 
data  netwoik  via 
dial-up  link 

Por  &  Emb  Por 

Wi'clasMtK'd 

connectivity 

B.HE.MC 

Availability 

Secure  RAS  availability  of 

NMCI  infrastructure  via  dial-in 
capability. 

MonUily 

(1)0.995 

<2)0.995 

(3)0.995 

Capacity 

RAS  connectivity  surge 

capacity  available  beyond 
normal  peak  load. 

Monthly 

0)0.3 

<2)0.3 

(310.3 

Performance 

CRAS  modem  data  rate. 

Annually 

0)Yes 

(2)  Yes 

(3)  Yes 

Interoperability 

Requires  full  interoperability 

and  seamless  interlace  both 
withm  NMCI  and  to  external 
customers. 

Measured 
continuously, 
smimuui/ed  daily, 
reported  monthly,  or 
when  plan  threshold 
v  nine  exceeded 

(ll  within  1  day 

(2)  within  1  day 

(3)  within  4  hours 

Customei  Satisfaction 

Level  of  customer  satisfac  tion. 

Initial:  6  mos  for  1* 

yr.  yearly  thereafter 

<1)0.8$ 

(2)085 
(31 08J 

(1020 

Portable  WS 

Wireless  Dsal-m 

V-supplted 
ancillary  device 
supporting 
wifeless,  mobile 
connectivity  to 

Por  and  Emb  Por 
w/full  SVC 

B.HE.MC 

Mean  Time  Between 
Failure 

Rate  of  failure  of  wireless 
devices. 

mm 

mn 

SU 

* 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

1  HI  OHM) 
MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(*/ul)(  Slilktucllull) 

NMCI 

Mean  Tune  to 
Repair/Replace  1IW 
components 

I  iroe  to  repair  wireless 
connection  devices 

Per  event  basis, 
reported  monthly 

(1) 98%  within  3  bus 
days 

(2) 98%  within  3  bus 
days 

(3) 99%  within  1  bus 
day 

Customer  Satisfaction 

l  evel  of  customer  satisfac  tion. 

Initial:  6  mos  for  l‘ 

yr.  yearly  thereafter 

(1)0.8$ 

<2)085 

(3)0.85 

(KI20 

A 

Organization-al 
Messaging  Service 

NMCT-promled 

DMS 

capabilities. 

All  four  Data  Seats 
and  associated 
Upgrades 

B,  MC 

Availability 

DMS  up  time. 

Measured 
continuously, 
averaged  hourly, 
reported  monthly 

(1) 0.905 

(2) 

(3)0.997 

Problem  Resolution 

l-.bpscd  tune  from  outage  until 
sve  is  restored. 

Continuously 
monitored,  reported 
monthly 

(III  hour 
(2)? 

<3)15  minutes 

Interoperability 

Requires  full  interoperability 
and  seamless  interlace  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
leporled  monthly,  or 
w  hen  plan  threshold 
value  exceeded 

(1)  »Mi  in  Idav 

(2) 

(3)  within  4  tans 

Customer  Satisfaction 

l  evel  of  customer  satisfaction. 

Initial:  b  mos  lor  l‘ 
y  r.  yearly  thereafter 

<1)085 

(2) 

(3)0.85 

0021 

Desktop  VTC 

Services 

V-coordinated 
VTC  sves  for 
full  duplex 
video/ 
audio/dala. 

WS  seats 
w  /optional  svea 

B,  HE 

AvaulabeUly 

VTC  up  time. 

At  implementation 
and  yearly 

<1)0.995 

(2)0.995 

0) 

Audio  and  Video 

Quality  I  Integrity ) 

C  larity  of  voice  and  video 

At  implementation 
and  yearly 

15  franns/wc 
(2)5=30  liamcs/aci 
(31? 
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SLA 

# 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

f*/uof  StttBfartbnl 

System  Performance 

Desktop  VTC  performance 
relative  to  current  state  of  the 
shelf  available  systems. 

Quarterly 

( 1 )  70%  relative 
capability 

(2) 90%  relative 
capabilitv 

(3) 

Gateway  Capacity 

Sufficient  gateway s  to  support 
on-line  VTC  users  (capable  of 
connectivity  between  dissimilar 
algorithms,  bandwidth  speeds, 
etc.). 

Measured 
continuously, 
reported  monthly 

<1)0.80 

<2)0.95 

<J) 

Interoperability 

Requires  full  interoperability 
and  seamless  interface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
icported  monthly,  or 
when  plan  threshold 
value  exceeded 

(Inuthiu  1  day 

IT  1  within  1  Jav 

(J) 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  roos  for  1“ 

y  r.  yearly  thereafter 

<1)085 

<2)085 

(J) 

0022 

Voice  Communi¬ 
cations 

User  capability 
to  .tend  and 
receive  voice 
calls  to  and  from 
otlicr  users 
\v  itlun  and 
external  to 

NMCI  domain 

Voice  Seals 

B.BihMC 

Availability 

Voice  sve  availability  to  end 
user 

Measured 
continuously, 
reported  monthly 

(I) 0.9999 
<2)0.9999 

(J)  0.99)5 

Dial  Tone  Delay 

Tune  from  off-hook  to 
provision  of  dial  tone  during 
the  Busy  hour. 

Monthly  and 
randomly  on  1%  of 
total  voice  seals 

( 1 1  Not  more  tl NB 

1  ■  II  L.  II-  n  ei-jd 

encounter  delay  >3  sec 
(2 1  Not  more  than 

1  ■  .a  II  -  n  cied 
encounter  delay  >3  sec 
<3iNot  more  than 

1  •  -i  L.  II-  n  CUll 

encounter  delay  >3  sec 

SLA 

# 

SERVICE  NAME 

SERY  1C  E 
DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SUN  K3 
LEVELS 

PER  FORM  AM  t 
('AUGURIES 

PERFORMANCE 

MEASURED 

FKI.Ql  I  NC  Y 
MEASUREMENT 

8DKV1CI 

PERFORMANCE 

LEVEL 

(%of  Satisfaction) 

Grade  of  Service 

i  i  is  1 1  nd  i  ,  to 

Lml  User  Calls  i  Intra- 
NMCI) 

Proportion  of  calls  that  cannot 
be  completed  during  the  Busy 
hour. 

Measured  every  5 
minutes,  reported 
monthly 

<  1  >  P.G5 
(2)  P.05 
(J)P.0l 

GOS  End  User 

External  Networks 

hopoition  of  calls  that  cannot 
he  completed  during  live  Busy 
hour. 

Measured  every  5 
minutes,  reported 
monthly 

(1) P-0l 

(2)  P.01 

(3)  P.01 

Latency 

U  set-to-user  latency  for  voice 
caUs  across  the  NMCI  voice 
network. 

Measured  every  5 
minutes,  reported 
monthly 

(1)  120  ms 

(2)  120  ms 
<3)  120ms 

1  klny  /Variation/Jitler 

Variation  from  when  packet 
was  expected  to  he  received 
and  actual  receipt. 

Measured  ev  ery  5 
minutes,  reported 
monthly 

(1) 60  ms 

(2) 60  ms 

(3) 60nu 

t  rouble  Repair  Times 

(Tine  from  notification  to 
vendor  or  discovery  by  vendor 
i  whichever  is  earlier)  until 
restoration  of  voice  svc. 

Each  occurrence 

(1) 24  hours 

(2) 24  bom 

(3)  2  hours 

Operator-assisted 

Calling 

Operator  sves  to  include 
directory  assistance  <  i.e..  4 1 1 X 
enhanced  91 1  capabilities,  and 

24 -hour  operator  assisted 
calling  including  DISN 

OCONUS  calls 

Sample  and  report 
Monthly  on  a 
representative 
sample  size 

(1)2  minutes 
<2)2  minutes 
(3)  2  minutes 

Absolute  Echo  Path 
Delay 

Twice  the  one-way  transit  tunc 
delay  of  a  signal  through  a 
switching  system  connection 
pail). 

Continuously 
monitored,  reported 
monthly 

(1)25  ms 
<2)25  ms 
(3)  25  minutes 

Customer  Satisfaction 

Includes  performance  of  user 
sves  and  voice  quality 

Initial:  b  mos  for  1" 

yr.  yearly  thereafter 
Monthly 

(1)085 

<2)085 

<3)0.85 

0022 

A 

Voice  Mail 

V-prov  IVMS 
including  voice 
messaging 
nansmission. 
reception,  and 
voice  message 
storage  24/7 
Interoperable 

AD  Voice  &  Data 

Seats 

w /Voice  capability 

B.  Bus.  MC 

Voice  Mail  GOS 

Proportion  of  calls  that  cannot 
he  completed  during  live  Busy 
hour. 

Measured  every  5 
minutes,  reported 
monthly 

(l)N/A 

<2)P.05 

<3)N/A 
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SLA 

SERVICE  NAME 

SERVICE 

APPLICABLE 

SERVICE 

PERFORMANCE 

PERFORMANCE 

FREQUENCY 

SERVICE 

H 

DESCRIPTION 

SERVICE 

LEVELS 

CATEGORIES 

MEASURED 

MEASUREMENT 

PERFORMANCE 

DELIVERY 

LEVEL 

POINTS 

(%of  Satisfaction) 

with  DSN 

Voice  Mailbox  Si/e 

Storage  space  allocated  per  user 

Imliullv  measured  at 

(I|N/A 

for  incoming,  outgoing,  and 
archived  messages. 

system 

implementation. 

(lien  sampled 
monlhlv 

:  i"  in  iu-. 

(3)N/A 

Interoperability 

Requires  full  interoperability 
and  seamless  interlace  both 

Measured 
continuously . 

<I»N/A 

(2)  within  1  day 

within  NMCI  and  to  external 

summarized  daily . 

(JlN/A 

customers. 

teported  monthly,  or 
when  plan  threshold 
v  alne  exceeded 

Customer  Satisfac  tion 

Includes  performance  of  user 
sves  and  voice  quality 

Initial:  6  mos  for  1“ 

yr,  yearly  thereafter 
Moodily 

(l)N/A 

<2)085 

<J)N/A 

0023 

basic  HdpDeak 
Services 

V-pfOV  Old  toCT 
technical 

All  Voice,  Valeo,  and 
DataWSs 

B,  HE.  MC 

Responsiveness  1 1 ) 

Number  of  rings  before 
connect  avg.  tune  m  queue 

Monthly 

Responsiveness  i!)c 
Prime  1  tine  Afg  is 

■■ten  t<> 
solve  NMCI 

until  appiopnate  technician  is 
contacted. 

•  <•.  i  -J-  '*  ' 
calls  answered  within 

issues  to  end 

•e.i o..:-  ii..:  «" 

user's 

of  calls  m  120  seconds 

satisfaction. 

Non-Pnme  Time:  Avg 
nd-.  <■: 

calls  answered  within 
120  seconds  and  100% 
answered  in  240 

seconds 

Responsiveness  1 2) 

Responsiveness  1 3) 

Caller  disconnect 

Level  of  customer  satisfaction 

Monthly 

Initial.  6  DM  fill  I- 

Responsiveness  1 2) 

<  1 1  less  than  7% 

(2)  less  than  7% 

'  k  •  -•  :l-n. 

y  r.  yearly  thereafter 

Monthly 

<1)085 

<2)085 

<3)085 

Responsiveness  1 1  > 

1  one  spent  establishing  user 

sla 

SERV  ICE  NAME 

SERVICE 

APPLICABLE 

SERVICE 

PERFORMANCE 

PERFORMANCE 

FREQUENCY 

SERVICE 

H 

DESCRIPTION 

SERVICE 

LEVELS 

CATEGORIES 

MEASURED 

MEASUREMENT 

PERFORMANCE 

DELIVERY 

LEVEL 

POINTS 

(%  of  Satisfaction) 

accounts  and  updating 'icsctting 
passwords 

Monthly 

<1)1  da\/2hrs(95%) 

(2)  4hrs/l  hr  (98%) 
(J)l  hr/ 15  min 

Responsiveness  1 3) 

Responsiveness  { 6) 

Calls  resolved  on  first  contact 
to  bdp  desk 

Compliance  with  escalation 
pioccduie 

Monthly 

Annually 

(99.5%) 

(1)0.63  (low  priority ) 

•  2 1  •  >  o  >  •  normal 
prio  i  J 

(3)  it  su. high 
priority) 

Responsiveness!  7) 

User  notification  by  help  desk 
for  unplanned  sve  outages,  and 
return  to  sve  status  piior  to 

(1)  Satisfactory 

(2)  Satisfactory 

(3)  Satisfactory 

restore 

1 1 1  within  15  mins 
<2 1  within  15  mins 
(3 1  within  15  mins 

0024 

WAN  NetSoft 
Connectivity 

V-prov 
connection  to 
geographically 
separated  Nan 
and  Murine 

NMCI  Infostructure. 
Oigam/ations.  NMCI 
OP  Center,  Pite 
SDP,  Fleet  Teleports. 
Non-DON 

B.  HE.  MC 

Availability 

Connectivity /capacity  to  WAN 
portal 

Continuous 
monitoring.  24*hr 
aver  rnting.  with 
monthly  reporting 

<1)0  999 

(2) 0.999 

(3) 0.999 

Corps 

user  s/dev  ices 

organizations 

Percent  bandwidth 

Used 

Average  utilization  compared 
with  available,  useable 

Measured 
continuously . 

<8)0.4 

<2)0-4 

capacity 

summarized  hourly, 
icporled  monthly 

<3)03 

Problem  Resolution 

Elapsed  time  from  outage  until 
sve  is  restored. 

Continuous 
monitoring,  reported 
monlhlv 

( 1 )  30  mins/3  lus 

.  1  mins' 1  l.i 

(3)3  mins/ 30  mms 

Interoperability 

Requires  full  interoperability 
and  seamless  interface  both 

Measured 
continuously . 

( 1 1  within  1  day 
(2)  within  1  day 

within  NMCI  and  to  external 

summarized  daily, 

(3)  within  4  hours 

customers. 

icporled  monthly,  or 
when  plan  threshold 
y  slue  exceeded. 
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SLA 

# 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

1.1  \  ELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENC) 

MEASUREMENT 

SLK\  ICE 
PERFORMANCE 
LEVEL 

(%  uf  Satisfaction) 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  fori* 
yr.  yearly  thereafter 

(It  0-85 

(2) 0.85 

(3) 0.85 

(1025 

BAN/LAN 

Communi-caUons 

Services 

V-prov 
coonectwo  to 
geographically 
co- located  Navy 
and  Marine 

Corps  LANs  and 

BAN-attached 

devices. 

For  DoN 

organizations  BANs. 
NMU  Infrastructure. 
Organizations,  NMCI 
OP  Center,  Piersade 
SDP,  Fleet  Teleport* 
Fflf  Non-DoN 
organizations:  LANs. 
Data/  Voice/ Video 
seats.  Organization 

b,hi;.mc 

Availability 

Availability  of  connectivity 
between  Navy  and  Marine 

Corps  LANs.  BANs  and 
attached  dev  ices 

Continuous 
monitoring.  24-hr 
averaging,  with 
monthly  reporting 

(1) 0.99410.999 

(2)  0.999/0.999 

(3) 0.9999/0.9999 

Latency 

Percent  Bandw  idth  Utilization 
on  Shared  Network  Segments 

Measured  every  5 
minutes,  reported 
monthlv 

(ll  HtlllN 

- 

<3)  lums 

Problem  Resolution 

h lapsed  time  from  outage  until 
sve  is  restored. 

Monthly  suige 
capacity  chock 

<1)04 

(2) 0.4 

(3) 0J 

Interoperability 

Requires  full  interoperability 
and  seamles*  interface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
.summarized  daily, 
icporled  monthly,  or 
wlien  plan  threshold 
value  exceeded. 

:  i  within  1  day 
(2)  within  1  day 
(,V|  within  4  hours 

Customer  Satisfaction 

Level  of  customer  satisfac  tion. 

Initial:  6  mo*  for  1* 

y  r.  yearly  thereafter 

<1)085 

(21085 

<31085 

(KI26 

Moveable  VTC  Seal 

V-prov 
audiovisual 
equipment 
allow  ing  users 
mobility  and 
easy  relocation 
to  selected  VTC 

sves. 

Specified 

Government 

site/Lacihty 

B.HE.MC 

Availability 

VTC  up  time  and  end  user 
access. 

At  implementation 
and  yearly 

(110.995 

(2) 0995 

(3) 0.997 

SLA 

It 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

l%urS'Jti-,)Htlmi) 

Video  Quality 

Absence  of  distortion,  tiling, 
and  latency 

At  acceptance  and 
yearly 

(1)  128  Kbps/I  Jfps 
2)384  Kbpa  ■  1  ■ 
(3)768  Kbps/30  fps 

Gateway  Capacity 

Sufficient  gateway  s  to  support 
on-line  VTC  users  (capable  of 
connectivity  between  dissimilar 
algorithm*,  bandwidth  speeds, 
etc.). 

Measured 
continuously, 
reported  monthly 

<1)0.95 

(2)0.95 

<3)099 

Multi-Point  Capacity 

Provide  entire  network  w  iih 
capability  to  perform  multipoint 
conferences. 

Measured 
continuously, 
reporled  monthlv 

<1)085 

(2)0.85 

<3)0.95 

Reliability  of  Season 
Initiation 

Connectivity  on  first  try  .  and 
continuous  up  lime  for  duration 
of  VTC  with  sites  connected  to 
NMCI 

Measured 
continuously, 
reported  monthly 

(1) 0.858)  .95 

(2)  0.858)  .95 

(3) 0.9581.99 

Interoperability 

Requires  full  uiteroperability 
and  seamless  interface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
r  eported  monthly ,  or 
when  plan  threshold 
value  exceeded. 

(1)  within  1  day 

(2)  within  1  day 

(3)  within  4  houm 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  1" 

yr,  yearly  thereafter 

(1)085 

<2)0.85 

<3)0.85 

(1026 

A 

Proxy  and  Caching 
Services 

V-prov  user 
capability  lor 
caching  and 
proxy  to  entrance 
Internet 

acces^perlonnan 

ce. 

Each  DON  Facility 

HnterprUe 

Availability 

Proxy  server  up  tune 

Measured  daily, 
r  eported  monthly 

<1)0.995 

(2) 0.995 

(3) 0.997 

Average  Hit  Ratio 

Successful  http  r  equests 
fulfilled  by  cache 

Measured  daily  , 
reported  monthly 

(1) 0.40 

(2) 

(3) 
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su 

# 

SERVICE  NAME 

SI  KMC  l. 
DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

f%  of  Satisfaction) 

Interoperability 

Require^  full  iiUcropctubilitv 
and  seamless  interface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily  , 
icported  monthly,  or 
when  plan  threshold 
value  exceeded. 

(1)  within  1  day 

(2 )  within  1  day 

(3)  within  4  hours 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  1" 

yr.  yearly  thereafter 

(1) 0.85 

(2) 0.85 

(3) 085 

(1027 

External  Networks 

Access  and 
interface  to 
net  works 
external  to 

NMCI  (includes 
required  security 
and  access 
control  i 

Applicable  WSs 

B,  He,  MC 

Availability 

Portal  availability  to  external 
networks  (noo-NMCl ». 

Measured 
continuously, 
.summarized  daily , 
leporled  monthly 

(1  >0.95)5 

(2) OJM5 

(3) 0.995/0  998 

Implementation  lime 

Turnaround  time  between  user 
request  and  implementation  of 
access  (does  not  include  non- 
existing  circuits) 

Monthly  avg 

<6  working  days 

(2)  <3  working  day  s 

(3)  <24  hours 

Percent  Bandwidth 

Used 

Avg.  utilization  compared  with 
available,  useable  capacity . 

Monthly  surge 
capacity  check 

(1)0.4 

<2)04 

<3)03 

Problem  Resolution 

Help  Desk  trouble  ticket 
restoration  time  from  outage 
until  sve  is  restoicd 

Continuous 
monitoring.  reported 
monthlv 

(1) 1  hr/3  hrs 

(2) 1  hr/3  hrs 

(3)  15  mins/I  hr 

Interoperability 

Requires  full  interoperability 
and  seamless  interface  both 
withni  NMCI  and  to  external 
customers. 

Measured 
conlinuoitdy. 
suinmari/ed  daily, 
leporled  monthly,  or 
wlien  plan  threshold 
value  exceeded. 

(1)  within  1  day 

(2)  within  1  day 

(3)  within  4  hours 

Customer  Satisfaction 

Level  of  customer  satisfaction. 

Initial:  6  mos  for  l" 

yr,  yearly  thereafter 

<1)0.85 

<2)0.85 

<3)085 

(1028 

Network 

Management  Service 

Operations 

Support  of  Asset 

NMCI  Infrastructure. 
Orginizalion,  NMCI 

B,  HE,  MC 

Time  to  Implement 
Asset 

Delivery  and  installation  of 
asset. 

As  requested  by 
Government 

<l)<=5days.92%of 

time 

SU 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQl  EM  V 
MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%of  Satisfaction) 

-  Asset  Management 

Management  to 
include  historical 
data,  summary 
management 
reports,  etc. 

OP  Center,  and  Fleet 
Teleports 

(2)  <=5  days.  92%  of 
time 

time 

l  ime  to  Implement 
Asset  Remote  Users 
Only 

Ddiveiy  and  installation  of 
asset. 

As  requested  by 
Government 

(1) <=5days.  85%  of 
time 

(2)  <=5  days.  85%  of 
time 

:  .J.  •  ••  i 

time 

Tune  to  Remove  Asset 

Removal  of  existing  asset 

As  requested  by 
Government 

(1) <=15  dll'  s 

(2)  <=  15  days 

=  l5davs 

Time  to  Remove  Asset 
Remote  Users  Only 

Removal  of  existing  asset 

As  requested  by 
Government 

l)<=25  days 
(2)  <=20  days 
<3)<=15davs 

Accuracy  of  Asset 
Inventory 

Accuracy  of  inventory  and 
mapped  network  components 

Quarterly  reports 

(1) 0.995 

(2) 0.995 

(3) 0.995 

(1029 

Operational  Support 
Services 

V-prov  indirect 

sves  to  include 
datu  backups  and 
recovery,  data 
archiving,  etc 

Infrastructure 

Enterprise 

Duality  and  1  undines 
Reports 

Situational  report  (inoulhly  I. 

Measuted  dailv . 
.summarized  and 
reported  weekly 

<1)100% 

(2) 

(3) 

Data 

Backup/Ar chiv  ing  and 
Recovery 

Effectiveness 

Specified  data  backup 
frequency  and  data  letention 
periods 

Per  Audit 

(DOW) 

(2) 

(3) 

Database  Audits  and 

Maintenance 

Effectiveness 

Audit  scheduled  database 
aichivmg  and  maintenance. 

Annual 

(DOW 

(2) 

<31 

Disaster  Recovery 

Plan  Effectiveness 

NMCI  Disaster  Recovery  Plan 
to  be  presented  w  ithin  one 
month  of  contract  aw  ard 

Initially  and 
annually 

(1)100% 

(2) 

(3) 

0030 

Capacity  Planning 

V-prov  modeling 
to  plan  changes 
to  NMCI 

NMCI  Operation 
Center 

Enterprise 

Quality  of  Plaiuung 

Deliver  satisfactory  (usable) 
reports  lluit  peifonu  capacity 
planning  (assessment  of 

Annually 

<1)100%. 

(2) 

iJl _ 
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SLA 

# 

SERV  ICE  NAME 

SBKVK  B 
DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVER? 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FKI-01  I  NC  V 
MEASUREMENT 

SERI  K1 
PERFORMANCE 
LEVEL 

(•/•of  Satisfaction) 

infrastructure, 
specifically  (0 
connate  future 
volume,  uiiage, 
arul  applications 
characteristics 
as  well  as 
integration  of 
emerging 
technology . 

processes,  trend  analysis, 
requirements  assessment,  etc. ). 

Availability  and 
Timeliness  of  Reports 

Deliverance  of  satisfactory 
i  usable >  reports  that  perform 
capacity  planning  (assessment 
of  processes,  trend  analy  sis, 
requnemenb  assessment  etc.) 
as  per  scheduled  intervals 

Monthly  reports 
until  baseline 
established,  then 
quarter  ly  reports 
using  3, 6.  and  12 

months  of  historical 
measured, 
functional,  and  war 
plans  requirements 
duta  for  re- 
basehmun  the 

NMCI  model 

(1)100% 

(2) 

(2) 

Report  Integrity 

Network  performance  reporting 
integrity 

Monthly  network 
performance  data, 
mduduig  actual  and 
fimetion.  shall  be 
gathered  accorduig 
to  requirements  for 
(lie  model 

(1)100% 

(2) 

(J) 

0031 

Domain  Name  Server 
(DNS) 

Meet  all 
functionality  of 
current  DNS  svc. 
to  include 
flexible  support 
for  deployed 
units. 

NMCI  Infrastructure. 
Organizations,  NMCI 
OP  Center  and  Fleet 
Teleports 

B.HE.MC 

Availability 

Availability  of  DNS  svc 

Primary  DNS  (every 
2-5  mins) 

Secondary  DNS 
(every  10-15  nuns) 

(1) >=0.W7 

(2)  >=0.997 
<3i>=0.9» 

sla 

» 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERS 

POINTS 

SIRS  1(1. 
LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%ofSalM»ttlun) 

Latency 

Reflects  time  for  NMCI  end 

users  to  use  their  local  DNS 
sves. 

Primary  DNS  (every 

2-5  mins) 

Secondary  DNS 
(every  10-15  mins) 

(1)  100  ms 

(2)  10  ms 

(3)  10  ms 

Usage 

Percentage  of  time  reports  are 
received  and  accurate 

Queriesteoond  rate 
averaged  over  15 
mins 

<1)100.0% 

(2) 

U) 

Quality  of  Service 

Lei  collage  of  time  reports  are 
received  and  accurate 

Avg  successful 
queries/total  queries 
over  I5muts 

(11100.0% 

(2) 

(31 

0032 

Application  Server 
Connectivity 

V-prov  NMCI 
connectivity  for 
Navy /Marine 
Corps 

oigam/altonal/op 
eraliona/ 
functional 
application  sves 
[optional  svc). 

Selected  Government 
Application  Servers 

S.  MC 

Availability 

Availability  of  NMCI  network 
bandwidth  from  local  backbone 
k>  connected  ipp  server. 

Measured 
continuously, 
summarized  daily, 
icporied  monthly 

(1I0.W 

(2) 

<3)0.W7 

Implementation  l  unc 

1  ime  k-tueen  user  request  and 
unpleineiitaUon  of  connectiv  ity 
between  netwoti  backbone  and 
app  server. 

Measured  on  a  pet 
event  basts  and 
summarized  and 
icporied  monthly 

(1) <$  working  days 

(2) 

(2)  <24  his 

MTTR  Backbone  to 
Saver  Network 
Segmeul 

Mean  time  to  repair  nclwoik 
segment  between  supporting 
backbone  and  app  server 

Monitored 
continuously, 
summarized  and 
tenorled  monthly 

( 1 )  <=6  hrs 

(2) 

<2)<=2hrs 

Network  Loading 
(throughput! 

Available  bandwidth  from 
server  to  local  backbone. 

Monitored 
continuously, 
summarized  and 
icporied  monthly 

(1) 0.40 

(2) 

(3)0  JO 

(1032 

A 

Network  Operations 
Duplay 

Provides 
authorized  MC 
users  with  real- 
time  status  of 
ilieu  network 
assets. 

DON  NMCI 

Managers 

Enterprise 

Availability 

Availability  of  NMCI  real-time 
performance  and  status 
information 

Measured 
continuously, 
averaged  weekly . 
t  opened  monthly 

(1) 0.995 

(2) 

(2) 
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SLA 

» 

SERV  ICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQIENCV 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

r%ofSalLvfactl«nl 

Customer  Satisfaction 

Level  of  ctisloniei  sultslaclion. 

Initial:  6  mos  for  1* 
yr.  yearly  thereafter 

(1) 0,85 

(2) 

(3) 

(1033 

NMCI  Security 
Operational  Services 
-General 

Provision  of 
security 
ntcchuntsns. 
procedures, 
controls,  and 
operation,  as 
well  as 

compliance  w  ith 
DoD 

certification  and 
accredilaliou 
policies  and 
procedures. 

AD  NMCI  Voice. 
Video,  and  Dala 

SDPs 

B.HE.MC 

Accreditation 

Follow  DITSCAP  5O0CMCI 
accreditation  requirements 
Percentage  of  success  on  first 
attempt  of  adjudicated 
packages 

Semi-annual 

(1) 0.85 

(2) 0.85 

(3) 0510 

Socurity  Integrity- 
Tliird  Party  Physical 
Inspections 

Percentage  of  third  party, 
physical  inspections  passed. 

Annual 

Unelass/Class 

(1) 0.950.99 

(2) 0.97/100% 
(310.991100% 

Security  Integnly  - 
Security  Sleasures 

Percentage  of  violation  of 
security  measures. 

Periodic 

UncUsVClasi 

(l)O.(IOWMXIl 

<2)0.002AMX)I 

<3)0,002(0.00 

Blocking  of  an 

Inlribiou  Attack  (uaet 
level) 

Success  rate  in  blocking  Red 
Team  intrusions 

Periodic 

Undass/l’lass 

(1) 0.998)9999 

(2) 0.998)9999 

(3) 0.999/100.00% 

Blocking  ofan 

Intrusion  Attack  <root 
level) 

Success  rote  in  blocking  Red 
Team  intrusion  attacks. 

Periodic 

Unelass/Class 

(1) 0.998)9999 

(2) 0.998)9999 

:  '  . . 

Blocking  of  a  Denial 
of  Service  (DOS) 

Attack 

Success  rate  in  blocking  of 

DOS  attacks. 

Periodic 

UnclaWCIass 

(1) 0.9958)9999 

(2) 0.9958)9999 
* ; |  ii"  imnai 

SU 

» 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQl ENC V 
MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

l%of  Satisfaction) 

Blocking  of  Data 
Retrieval  Attack 

Success  rate  m  blocking  Red 

1  cam  data  retrieval  attacks. 

Periodic 

Unelass/Class 

(1) 0.998)9999 

(2) 0.998)9999 

(3) 0.999/100.00% 

Blocking  ofData 
Integrity  Attack 

Success  rate  in  blocking  Red 
learn  data  integrity  attacks 

Periodic 

UncUss/CInss 

(1) 0.998)9999 

(2) 0.998)9999 

(3) 0.999/100.00% 

Rod  Team  Attacks 

Percentage  of  Rod  Team 
intrusions  detected 

Periodic 

IJnclass/Cluss 

(1) 0.995/0.9999 

(2) 0.995/0.9999 

(3) 0.997/100.00% 

0031 

NMCI  Security 
Operalimial  Services 
PKI 

Protection  of  IS 
to  assure 
confidentiality, 
integrity, 
availability, 
authenticity,  and 
non-repudiation 
PKI  svesfore- 
mad  ibciN 

Fxd&Por  (B.HE, 
MCf  Emb.  Emb  Por. 
Hybrid 

B.HE.MC 

Certificate  Revocation 

Timeliness  of  revoking 
certificates  when  lequued. 

Continuous  by 
vendor,  riindom  by 
Government 

Unelass/Class 

(1) 1  hi/3()  tninn 

(2)  1  lu/30  minn 

(3)  1  hr/30  turns 

Ability  In  Oblam  DOD 
PKI  X.509  Certificates 
for  E-mail 

Time  av|uiied  for  users  to 
successfully  obtain  ( ou  first 
attempt )  X.509  certificates 

Rom  the  NMCI  PKI 

Monthly  repofl 

Unclass/Cluss 

(l|5in.99.7W2min. 

99  9% 

(2l5in.99.7W2mm, 

99.9% 

(3l5in.99.7W2min. 

99.9% 
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SLA 

# 

SERVICE  NAME 

SSRVK 1 
DESCRIPTION 

APPLICABLE 

SERVICE 

D1UVBK1 

POINTS 

SERVICE 

LEVELS 

mrouuNc  b 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%  of  Satisfaction) 

Um.1  lol 

DODPKIwilhin 

NMCI 

1  une  from  submission  of  user 
request  to  establishing  fullv 
functional  IXX)  PKI XM 
certificates. 

Monthly  report 

Uih.laWClu3s 

(1) 8554(1  wk),  100% 
(2\»k)/85%(l»k. 
10034(2  wk) 

(2) 8554(1  »k).  10054 
(2v»k)/8554(l  »k, 
10054(2  nil 

(3) 8054  (3  (toys), 
10054(1  wk)*S54(3 
days.  100%  (1  »k) 

Interoperability 

Require;)  full  interoperability 
and  seamless  interface  both 
within  NMCI  and  to  external 
customers. 

Measured 
continuously, 
summarized  daily, 
leporled  monthly,  or 
when  plan  tluesliold 
v  alue  exceeded. 

(1)  within  1  day 

(2)  within  1  day 

(3) within4houri 

00)5 

NMCI  Security 
Operational  Services 
•SIPRNET 

Protection  of  IS 
to  assure 
confidentiality, 
integrity, 
availability . 
authenticity,  and 
non-repudiation 
SIPRNET  access 
to  users. 

Classified 

Connectivity 

Upgrade  Option 

B.HF..MC 

SIPRNET  Access 
Availability 

Availability  of  connectivity  at 
SIPRNET  portal. 

Measured 
continuously, 
summarized  hourly, 
reported  daily 

Normal  Ops/Under 
increased  INFOCON 

(1) 0  MAj6 

(2) 0.9M).6 

(3) 0.996/0/8$ 

SIPRNET  Access 
Verification 

Number  of  unauthorized  users 
who  obtain  successful  access  to 
SIPRNET  sves. 

Continuous  by 
vendor,  periodic  by 
Government 

(1)0.00 

(2)0.00 

(3)0.00 

Inter  operability 

Requires  full  interoperubrlity 
and  seamless  interface  both 
within  NMCI  and  to  external 

customers. 

Measured 
continuously . 
summarized  daily, 
reporied  monthly,  or 
when  plan  tluesliold 
value  exceeded. 

(ll  within  1  day 
(2)  within  1  day 
<3)  within  4  hours 

SU 

If 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

f'/uiif  Sutkfaclion) 

Customer  Satisfaction 

User  satisfaction  of  latency  of 
network  apps.  interoperability 
i  reachability )  to  DON  and  Dol) 
sites. 

Continuous  by 
v endor.  periodic  by 
Government 

(1) 0.85 

(2) 0.85 

(3) 085 

(1036 

NMCI  Security 
Planning  Services 

Secure  strategic 
sves  that  provide 
for  the  NMCI  to 
enhance 
confidentiality 
integrity, 
availability, 
authenticity ,  and 
non-repudiation. 

All  NMCI  Voi«. 
Video,  and  Data 

SDPa 

B.H.MC 

Security  Incident 
Reporting 

Time  required  to  document  and 
report  security  incidents. 

Continuous,  report 
monthly 

Unelass/Class 
(III  wk/l  day 
(2)1  wk/l  day 
(J)  1  lu/I  hr 

Security  Incident 
Response 

Tune  required  to  respond  to  a 
security  meident. 

As  required 

Unclasis/Class 
(III  wk/l  day 

(2) 1  wk/l  da\ 

(3)  1  hr/I  hr 

Security  Product 

Refresh 

1  une  requued  to  distribute 
new /revised  security  HW  and 
SW.  Note  Not  applicable  for 
real  lime  security  fixes 
mandated  to  be  completed  in 
shorter  time  frames. 

As  lairntd 

Unelass/Class 

'  .1 

1  ' 

(3)1  mt\  mo 

Security  Vulnerability 
Remediation 

Time  required  to  implement 
real  lime  sy  stem  lixes/patdies 
to  address  security 
vulnerabilities. 

As  specified  by 
policy 

Unclass/Class 
•  III  dav.’l  dax 
.  -  1  X  ll- 
(3)  1  hr/I  hr 

0036 

A 

Integrated 

Configuration 

Management 

CM  mumtcnance 
to  include  asset 
inventory  of  all 
HW  and  SW. 

All  data  seats,  fixed 
and  secure  voice 
devices.  VTC  seats, 
and  all  NMCI 
infrastructure  and 
external  networks 

Enterprise 

Time  to  Update  CM 
System 

Time  to  update  CM  system 
alter  changes  to  asset 
configuration. 

Measured  daily, 
leporled  monthly 

(1) 24  hr* 

(2) 

<J) 

0036 

B 

Integration  and 

Testing 

V-perfonned 
adequate  level  of 
testing  to 
minimize  effects 
of  mods  to 

All  NMCI 

Components 

NMCI.Vrxk 

Time  to  Configure 

Asset 

Based  on  elapsed  time  from 
removal  of  device  from  sve  to 
configure  until  dev  ice  is 
returned  with  updated  baseline 

Monthly 

III 
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SLA 

* 

SERV  IC  E  NAME 

SLR  VIC  h 
DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQl ENCV 
MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%of  Sutbfactlun) 

NMC1 

configuration. 

Test  Coordination 
with  live  Ciovemment 

Systems,  products,  and  sves 
coordinated  with  Government 
as  introduced.  V-prov  project 
schedules  for  roll  outs. 

Monthly 

(1) 5*10% 

(2)  10*20% 

(3)  >20% 

(1036 

C 

technology 

Refreshment 

Includes  periodic 
replacement  of 
NMCI  data  seats 
with  more 
capable 
machines,  to 
include  severs, 
telephones, 
telephone 
switches, 
network 
switches, 
network  (outers, 
and  oilier  1 IW 
and 

infrastructure. 

FXd  &  For  (B,  HE. 
MC),Emb 
l  Contractor* 
provided).  Mmb  Por 
(Contractor* 
piovided) 

B.HE.MC 

WS  Refreshment 

Percentage  of  seats  meeting  or 
exceeding  minimum  acceptable 
performance. 

Continuously 
monitored  und 
icported  monthly  for 
fust  1  Hums  and 
quarterly  thereafter 

(1) 36  Mos 

(2)  36  mo* 

(3)  As  applicable 

Refreshment 

Timeliness 

Percentage  of  refreshments 
completed  within  or  before 
quillet  scheduled 

Amiually 

(1) 0.85 

(2) 0.95 

(3) 0.95 

Reficshmeni 

Convenience 

Avg.  score  on  user  refreshment 
convenience  survey  for  all 
technology  refreshments 
completed  during  the  year 

Continuous 
monitoring,  reported 
monthly 

(1)75% 

Rod  75% 

White  65% 

Blue  60% 

Thin  Client  50% 
<2)90% 

(3)  As  applicable 

Average  Relunve 
Performance  of 
Refreshment  WSs 

Avg.  of  relative  performance  of 
WSs  provided  for  refreshment 
compared  to  performance  of 
smi-of*the-arf'  WSs  available 
at  tune  of  refreshment 

Initial:  6  mo*  for  lM 

yr.  y  early  thereafter 

<1)0.85 

<2)0.85 

<3)0.85 

OU.'I'  I  lahau.oj.  I:i-c:l.i-i.  |  \  .we  .i.  |  ,\.l  NMt  1  |:i:i)..MC 

Demonstrated  Benefit 

Number  of  technologv  uiseition 

Annuallv 

(11.75 

su 

» 

SERVICE  NAME 

SERVICE 

DESCRIPTION 

APPLICABLE 

SERVICE 

DELIVERY 

POINTS 

SERVICE 

LEVELS 

PERFORMANCE 

CATEGORIES 

PERFORMANCE 

MEASURED 

FREQUENCY 

MEASUREMENT 

SERVICE 

PERFORMANCE 

LEVEL 

(%ofSall«factlonl 

i) 

identify  mg  and 

apply  mg  new 
technologies 
through 
iim  cased 
effectiveness  of 
program  and 
further  adv  ance 
is  overall 
objectives 

Inlmslmcluie 

projects  completed  for  which 

beneficial  results  can  be 
meusuted  or  demonstrated 

<2)85 

0)85 

Benefit  Significance- 

Pcicciiiiijic  of  ubcrfion  projects 

perforated  in  letms  of 
mproKinent  in  NMCI  cost  or 
relev  ant  technical  parameters 
for  technology  insertion 
projects  completed. 

Annually 

<1)5-1 
(2)10-2 
(3)  >20% 

0037 

Sea-Shore  Rotation 
Support  Tiuining 

V-prov  nuimng 
of  Navy  and 
Marine  Corps 
uniformed  IT 
professionals 
rotating  from  sea 
duty  to  shore 
dub  jobs. 

flaming  Planning 

m 

Skill  Maintenance  and 

I  T  Professional 
Development 

Ability  to  petfoim  training 
needs  assessment  and  planning 
bused  on  evaluaUon  of  pnor 
tiaining  and  expeneoce  of  each 
assigned  individual. 

Measured 
continuously, 
updated  quarterly 

(1)095 
<2)  N/A 
(3)  N/A 

Core  Compdency 

Development 

V-pcrformancc  in  training 

uuifonued  IT  professionals  to 
cany  out  skills  identified  as 
core  competencies  law 
Attachment  3 

Continuous, 
coincides  with 
military  personnel 
fitness  report  cy  cles 

(1) 0.95 

(2)  N/A 

(3)  N/A 

Table  D:  The  SLAs  and  Performance  Measurements  Matrix  Currently  used,  from 
www.nmci.navy.mil,  accessed  February  2004. 
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